A recent PureCryptor malware campaign has been discovered to be targeting government entities in the Asia-Pacific (APAC) and North America regions, delivering multiple information stealers and ransomware strains.
Menlo Security researchers found that the campaign used Discord to host the initial payload and compromised a non-profit organization to store additional hosts used in the attack.
The attack starts with an email containing a Discord app URL that points to a PureCryptor malware sample in a password-protected ZIP archive. PureCryptor is a .NET-based malware downloader that was first seen in March 2021. Its operator rents it to other cybercriminals to distribute various types of malware.
When executed, it delivers the next-stage payload from a command and control server, which is a compromised server of a non-profit organization in this case.
Menlo Security researchers analyzed the sample and found that it delivered AgentTesla, a .NET malware family that has been in use by cybercriminals for the last eight years. When launched, AgentTesla establishes a connection to a Pakistan-based FTP server that is used to receive the stolen data.
The researchers discovered that the threat actors used leaked credentials to take control of the particular FTP server to reduce identification risks and minimize their trace.
Despite its age, AgentTesla remains a cost-effective and highly-capable backdoor that has received continual development and improvement over the years.
Cofense Intelligence recorded that AgentTesla’s keylogging activity accounted for roughly one-third of all keylogger reports in 2022.
AgentTesla’s capabilities include logging the victim’s keystrokes to capture sensitive information, stealing passwords saved in web browsers, email clients, or FTP clients, capturing screenshots of the desktop, intercepting data that is copied to the clipboard, and exfiltrating stolen data to the C2 via FTP or SMTP.
In the attacks examined by Menlo Labs, it was discovered that the threat actors used process hollowing to inject the AgentTesla payload into a legitimate process (“cvtres.exe”) to evade detection from antivirus tools.
Furthermore, AgentTesla uses XOR encryption to protect its communications with the C2 server, like its configuration files, from network traffic monitoring tools.
Menlo Security believes that the threat actor behind the PureCrypter campaign is not a major one but it is worth monitoring its activity due to targeting government entities. It is likely that the attacker will continue using compromised infrastructure for as long as possible before being forced to find new ones.
The PureCryptor malware campaign has targeted government entities with a variety of information stealers and ransomware strains. It uses Discord to host the initial payload and compromised infrastructure of a non-profit organization to store additional hosts.
The AgentTesla malware family is still in use by cybercriminals due to its cost-effectiveness and highly-capable backdoor capabilities.
Menlo Security researchers recommend monitoring the PureCryptor campaign and being vigilant against future attacks.
Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter. You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.
Explore the top 5 best Microsoft Intune alternatives, comparing key features, user reviews, and capabilities…
Discover the top 7 smartphones of 2024 with best security features, offering privacy, performance, and…
Discover the top 11 log management tools for efficient system management and monitoring. Learn about…
Explore the top 5 threat intelligence tools, their features, and how they enhance cybersecurity against…
Explore the top 5 best PAM Tools, market trends, and expert insights to secure the…
Explore the top solutions for Apple Device Management including to iOS Device Management and macOS…