PureCrypter Targeting Government Entities via Discord
DOWNLOAD PDFSUMMARY
PureCrypter is an advanced .NET-based malware downloader, first seen in 2021, that downloads Remote Access Trojans (RATs) and Information stealers (InfoStealers).
Menlo Security research labs have seen unknown threat actors conducting campaigns against Government organizations by spreading the malware by leveraging the target organization’s use of Discord. The downloader was seen delivering multiple InfoStealers and ransomware strains. According to the Menlo, the campaign is targeting multiple Government organization in Asia-Pacific (APAC) and North America.
TECHNICAL DETAILS
Target organizations receive an email with a Discord application URL that points to a PureCrypter sample in a password-protected ZIP file. On execution, it delivers the next-stage payload from a command-and-control server, which is often a compromised host at another government or non-profit organization.
Several types of malware were found to have been delivered during this campaign, including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware.
Menlo researchers specifically analyzed a sample with AgentTesla, when launched it then establishes a connection to a Pakistan-based FTP server that is used to receive the stolen data from the Govt organization. AgentTesla uses a process hollowing technique to inject its payload into the legitimate process “cvtres.exe” to evade detection from antivirus tools. AgentTesla also uses XOR encryption to protect its communications with the C2 server.
INDICATORS OF COMPROMISE (IoCs)
FTP:
ftp[.]mgcpakistan[.]com/
Username: “ddd@mgcpakistan[.]com
HTTP:
cents-ability[.]org
Hashes – Email
• be18d4fc15b51daedc3165112dad779e17389793fe0515d62bbcf00def2c3c2d
• 5732b89d931b84467ac9f149b2d60f3aee679a5f6472d6b4701202ab2cd80e99
Hashes – Malware
• a7c006a79a6ded6b1cb39a71183123dcaaaa21ea2684a8f199f27e16fcb30e8e
• 5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d
• f950d207d33507345beeb3605c4e0adfa6b274e67f59db10bd08b91c96e8f5ad
• 397b94a80b17e7fbf78585532874aba349f194f84f723bd4adc79542d90efed3
• 7a5b8b448e7d4fa5edc94dcb66b1493adad87b62291be4ddcbd61fb4f25346a8
• efc0b3bfcec19ef704697bf0c4fd4f1cfb091dbfee9c7bf456fac02bcffcfedf
• C846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331
Hashes – Imphash shared by 106 FTP files:
• F34d5f2d4577ed6d9ceec516c1f5a744 (86 files)
• 61259b55b8912888e90f516ca08dc514 (10 files)
Hashes – Other similar files:
• 14e4bfe2b41a8cf4b3ab724400629214
• f1c29ba01377c35e6f920f0aa626eaf5
• 5420dcbae4f1fba8afe85cb03dcd9bfc
• 18e9cd6b282d626e47c2074783a2fa78
• 2499343e00b0855882284e37bf0fa327
• 0d8b1ad53fddacf2221409c1c1f3fd70
• 2499343e00b0855882284e37bf0fa327
• 0d8b1ad53fddacf2221409c1c1f3fd70
• 17f512e1a9f5e35ce5761dba6ccb09cb
• b5c60625612fe650be3dcbe558db1bbc
• a478540cda34b75688c4c6da4babf973
• 765f09987f0ea9a3797c82a1c3fced46
• bbd003bc5c9d50211645b028833bbeb2
• 71b4db69df677a2acd60896e11237146
• f4eebe921b734d563e539752be05931d
• b4fd2d06ac3ea18077848c9e96a25142
• 1d3c8ca9c0d2d70c656f41f0ac0fe818
• 785bfaa6322450f1c7fe7f0bf260772d
• 2fa290d07b56bde282073b955eae573e
• d70bb6e2f03e5f456103b9d6e2dc2ee7
• 0ede257a56a6b1fbd2b1405568b44015
• fdd4cd11d278dab26c2c8551e006c4ed
• dbcaa05d5ca47ff8c893f47ad9131b29
• c9ca95c2a07339edb13784c72f876a60
• c3b90a10922eef6d635c6c786f29a5d0
• 8ef7d7ec24fb7f6b994006e9f339d9af
• f1c29ba01377c35e6f920f0aa626eaf5
• fa4ffa1f263f5fc67309569975611640
• 754920678bc60dabeb7c96bfb88273de
• 2964ce62d3c776ba7cb68a48d6afb06e
• 8503b56d9585b8c9e6333bb22c610b54
• eaaf20fdc4a07418b0c8e85a2e3c9b27
• b6c849fcdcda6c6d8367f159047d26c4
• de94d596cac180d348a4acdeeaaa9439
• 3f92847d032f4986026992893acf271e
• ae158d61bed131bcfd7d6cecdccde79b
RECOMMENDATIONS
• Employ tools that have behavior-based detection capabilities which detect process injection based on common sequences of behavior that occur during the injection process.
• Look out for suspicious cvtres.exe process.
REFERENCES
• https://www.bleepingcomputer.com/news/security/purecrypter-malware-hits-govt-orgs-with-ransomware-info-stealers/
• https://www.menlosecurity.com/blog/purecrypter-targets-government-entities-through-discord/
• https://securityboulevard.com/2023/02/purecrypter-targets-government-entities-through-discord/