Skip to content

‘PureCrypter’ Downloader Used to Deliver Malware to Governments

Menlo Labs has warned of a malicious campaign in which a threat actor is using the PureCrypter downloader to deliver different types of malware to government entities in the Asia-Pacific and North America regions. The attackers are using Discord for distribution and the domain of a compromised non-profit organization as a command-and-control (C&C) server, hosting a secondary payload. To date, the attackers have been delivering information stealers, remote access trojans (RATs), and other threats, including Redline Stealer, AgentTesla, Eternity, Blackmoon, and Philadelphia ransomware.

PureCrypter is an advanced downloader that provides persistence and was released in March 2021. It is written in .NET and supports different injection types and defense mechanisms, and can be customized with fake messages and additional files to be written to disk. In the malicious campaign identified by Menlo, the attackers hosted PureCrypter on Discord and used email to send a link to the payload to the intended targets. The attackers then used password-protected ZIP files to bypass existing defenses.

Once the PureCrypter loader was executed on the system, it attempted to fetch a secondary payload from the compromised website of a non-profit organization. The payload was identified as the AgentTesla information stealer, which was seen communicating with an FTP server in Pakistan to exfiltrate victim data. The server was likely accessed using credentials found online.

In conclusion, Menlo Labs has uncovered a malicious campaign in which a threat actor is using the PureCrypter downloader to deliver different types of malware to government entities in the Asia-Pacific and North America regions. The attackers are using Discord for distribution and the domain of a compromised non-profit organization as a command-and-control (C&C) server, hosting a secondary payload. The malicious campaign is notable for its use of PureCrypter, which is an advanced downloader that provides persistence and is customizable with fake messages.

Key Points:
• Menlo Labs has uncovered a malicious campaign targeting government entities in the Asia-Pacific and North America regions
• Discord is being used for distribution, while the domain of a compromised non-profit organization is serving as a command-and-control server
• Attackers are delivering ransomware, information stealers, and other threats
• PureCrypter downloader is being used to provide persistence and is customizable with fake messages
• AgentTesla information stealer is being used as a secondary payload and is exfiltrating data to an FTP server in Pakistan

Leave a Reply

Your email address will not be published. Required fields are marked *