Government agencies in Asia Pacific and North America have been targeted by unknown attackers using known malware downloaders. Pure Cryptor Delivers a series of information stealers and ransomware.
“The PureCrypter campaign uses a compromised non-profit domain as a command and control (C2) to deliver a second payload,” said Menlo Security researcher Abhay Yadav.
Various types of malware spread using PureCrypter include RedLine Stealer, Agent Tesla, Eternity, Blackmoon (aka KRBanker), Philadelphia ransomware, and more.
First documented in June 2022, PureCrypter is advertised by its authors as selling for $59 for one month of access (or $245 for a one-time lifetime purchase), and many of malware can be distributed.
In December 2022, PureCoder, the developer behind the program, announced that it will include loggers and information stealers known as PureLogs, designed to siphon data from web browsers, cryptographic wallets, and email clients. , expanded the range of products it offers. $99 per year ($199 for lifetime access).
The infection sequence detailed by Menlo Security begins with a phishing email containing a Discord URL pointing to the first stage component, which is a password-protected ZIP archive, loading the PureCrypter malware.
The loader accesses a compromised non-profit website and retrieves a secondary payload, a .NET-based keylogger named Agent Tesla.
The backdoor then establishes a connection to an FTP server in Pakistan and exfiltrates the collected data.
