A menace actor has been concentrating on authorities entities with PureCrypter malware downloader that has been seen delivering a number of data stealers and ransomware strains.
Researchers at Menlo Security found that the menace actor used Discord to host the preliminary payload and compromised a non-profit group to retailer extra hosts used within the marketing campaign.
“The marketing campaign was discovered to have delivered a number of varieties of malware together with Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware,” the researchers say.
According to the researchers, the noticed PureCrypter marketing campaign focused a number of authorities group within the Asia-Pacific (APAC) and North America areas.
Attack chain
The assault begins with an electronic mail that has a Discord app URL pointing to a PureCrypter pattern in a password-protected ZIP archive.
PureCrypter is a .NET-based malware downloader first seen within the wild in March 2021. Its operator rents it to different cybercriminals to distribute numerous varieties of malware.
When executed, it delivers the next-stage payload from a command and management server, which is the compromised server of a non-profit group on this case.
The pattern that the researchers at Menlo Security analyzed was AgentTesla. When launched, it establishes a connection to a Pakistan-based FTP server that’s used to obtain the stolen knowledge.
The researchers discovered that the menace actors used leaked credentials to take management of the actual FTP server fairly than setting it up their very own, to scale back identification dangers and decrease their hint.
AgentTesla nonetheless in use
AgentTesla is a .NET malware household that has been utilized by cybercriminals for the final eight years. Its utilization peaking in late 2020 and early 2021.
A latest report by Cofense highlights that regardless of its age, AgentTesla stays a cheap and highly-capable backdoor that has obtained continuous growth and enchancment over time.
AgentTesla’s keylogging exercise accounted for roughly one-third of all keylogger experiences Cofense Intelligence recorded in 2022.
The malware’s capabilities embody the next:
- Log the sufferer’s keystrokes to seize delicate data akin to passwords.
- Steal passwords saved in net browsers, electronic mail purchasers, or FTP purchasers.
- Capture screenshots of the desktop that would reveal confidential data.
- Intercept knowledge that’s copied to the clipboard, together with texts, passwords, and bank card particulars.
- Exfiltrate stolen knowledge to the C2 through FTP or SMTP.
In the assaults examined by Menlo Labs, it was found that the menace actors used course of hollowing to inject the AgentTesla payload right into a reliable course of (“cvtres.exe”) to evade detection from antivirus instruments.
Furthermore, AgentTesla makes use of XOR encryption to guard its communications with the C2 server, like its configuration information, from community site visitors monitoring instruments.
Menlo Security believes that the menace actor behind the PureCrypter marketing campaign just isn’t a serious one however it’s price monitoring its exercise as a result of concentrating on authorities entities.
It is probably going that the attacker will maintain utilizing compromised infrastructure for so long as attainable earlier than being pressured to seek out new one.