PureCrypter Targeting Government Entities via Discord

PureCrypter Targeting Government Entities via Discord

DOWNLOAD PDF

SUMMARY
PureCrypter is an advanced .NET-based malware downloader, first seen in 2021, that downloads Remote Access Trojans (RATs) and Information stealers (InfoStealers).

Menlo Security research labs have seen unknown threat actors conducting campaigns against Government organizations by spreading the malware by leveraging the target organization’s use of Discord. The downloader was seen delivering multiple InfoStealers and ransomware strains. According to the Menlo, the campaign is targeting multiple Government organization in Asia-Pacific (APAC) and North America.

TECHNICAL DETAILS
Target organizations receive an email with a Discord application URL that points to a PureCrypter sample in a password-protected ZIP file. On execution, it delivers the next-stage payload from a command-and-control server, which is often a compromised host at another government or non-profit organization.

Several types of malware were found to have been delivered during this campaign, including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware.

Menlo researchers specifically analyzed a sample with AgentTesla, when launched it then establishes a connection to a Pakistan-based FTP server that is used to receive the stolen data from the Govt organization. AgentTesla uses a process hollowing technique to inject its payload into the legitimate process “cvtres.exe” to evade detection from antivirus tools. AgentTesla also uses XOR encryption to protect its communications with the C2 server.

INDICATORS OF COMPROMISE (IoCs)
FTP:
ftp[.]mgcpakistan[.]com/
Username: “ddd@mgcpakistan[.]com

HTTP:
cents-ability[.]org

Hashes – Email
be18d4fc15b51daedc3165112dad779e17389793fe0515d62bbcf00def2c3c2d
5732b89d931b84467ac9f149b2d60f3aee679a5f6472d6b4701202ab2cd80e99

Hashes – Malware
a7c006a79a6ded6b1cb39a71183123dcaaaa21ea2684a8f199f27e16fcb30e8e
5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d
f950d207d33507345beeb3605c4e0adfa6b274e67f59db10bd08b91c96e8f5ad
397b94a80b17e7fbf78585532874aba349f194f84f723bd4adc79542d90efed3
7a5b8b448e7d4fa5edc94dcb66b1493adad87b62291be4ddcbd61fb4f25346a8
efc0b3bfcec19ef704697bf0c4fd4f1cfb091dbfee9c7bf456fac02bcffcfedf
C846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331

Hashes – Imphash shared by 106 FTP files:
F34d5f2d4577ed6d9ceec516c1f5a744 (86 files)
61259b55b8912888e90f516ca08dc514 (10 files)

Hashes – Other similar files:
14e4bfe2b41a8cf4b3ab724400629214
f1c29ba01377c35e6f920f0aa626eaf5
5420dcbae4f1fba8afe85cb03dcd9bfc
18e9cd6b282d626e47c2074783a2fa78
2499343e00b0855882284e37bf0fa327
0d8b1ad53fddacf2221409c1c1f3fd70
2499343e00b0855882284e37bf0fa327
0d8b1ad53fddacf2221409c1c1f3fd70
17f512e1a9f5e35ce5761dba6ccb09cb
b5c60625612fe650be3dcbe558db1bbc
a478540cda34b75688c4c6da4babf973
765f09987f0ea9a3797c82a1c3fced46
bbd003bc5c9d50211645b028833bbeb2
71b4db69df677a2acd60896e11237146
f4eebe921b734d563e539752be05931d
b4fd2d06ac3ea18077848c9e96a25142
1d3c8ca9c0d2d70c656f41f0ac0fe818
785bfaa6322450f1c7fe7f0bf260772d
2fa290d07b56bde282073b955eae573e
d70bb6e2f03e5f456103b9d6e2dc2ee7
0ede257a56a6b1fbd2b1405568b44015
fdd4cd11d278dab26c2c8551e006c4ed
• dbcaa05d5ca47ff8c893f47ad9131b29
c9ca95c2a07339edb13784c72f876a60
c3b90a10922eef6d635c6c786f29a5d0
8ef7d7ec24fb7f6b994006e9f339d9af
f1c29ba01377c35e6f920f0aa626eaf5
fa4ffa1f263f5fc67309569975611640
754920678bc60dabeb7c96bfb88273de
2964ce62d3c776ba7cb68a48d6afb06e
8503b56d9585b8c9e6333bb22c610b54
eaaf20fdc4a07418b0c8e85a2e3c9b27
b6c849fcdcda6c6d8367f159047d26c4
de94d596cac180d348a4acdeeaaa9439
3f92847d032f4986026992893acf271e
ae158d61bed131bcfd7d6cecdccde79b

RECOMMENDATIONS
Employ tools that have behavior-based detection capabilities which detect process injection based on common sequences of behavior that occur during the injection process.
Look out for suspicious cvtres.exe process.

 

REFERENCES
https://www.bleepingcomputer.com/news/security/purecrypter-malware-hits-govt-orgs-with-ransomware-info-stealers/
https://www.menlosecurity.com/blog/purecrypter-targets-government-entities-through-discord/
https://securityboulevard.com/2023/02/purecrypter-targets-government-entities-through-discord/

CONTACT US