An unknown threat actor is targeting governments in APAC and North America with information-stealing malware and ransomware, according to Menlo Security.
This group’s attack begins with a phishing email containing a malicious Discord link pointing to a password-protected zip file. It contains a .NET malware downloader known as PureCrypter.
The loader attempts to download a secondary payload from the group’s command and control (C2) infrastructure. This is a compromised domain belonging to a nonprofit, he said, Menlo Security.
Malicious payloads seen by security vendors in this campaign included a variety of information stealers and ransomware variants, including Redline Stealer, AgentTesla, Eternity, Blackmoon, and Philadelphia ransomware.
In samples analyzed by security experts, PureCrypter attempts to download AgentTesla, a sophisticated backdoor designed to steal browser-based passwords, take screen captures and record keystrokes. .
“Our investigation found that AgentTesla established a connection to an FTP server and stored stolen victim credentials. The credentials were found online, suggesting that the attacker used those credentials to gain access to the server,” the report revealed.
“FTP servers have also been seen in campaigns using OneNote to distribute malware. We are sending phishing emails containing links to OneNote files.In all, our lab team found 106 files using the aforementioned FTP server.”
AgentTesla has been around for several years and continues to prove popular with attackers.
Remote Access Trojans (RATs) and information stealers were the most prevalent malware in October 2022, accounting for 7% of global detections by Check Point Software.
The malware ranked third in the vendor’s monthly rankings. Global Threat Index January 2023 report.
Editorial Credit Icon Image: Ink Drop / Shutterstock.com
