Threat Research

Cyble – Pure Coder Offers Multiple Malware For Sale In Darkweb Forums

Securonix

CRIL uncovers Alibaba2044’s PureLogs stealer and related PureCoder malware offerings being sold in darkweb forums, with a December 14, 2022 spam campaign targeting Italian users. The piece details multiple tools (PureLogs, PureCrypter, PureMiner, BlueLoader, PureHVNC) and their capabilities, including information theft, cryptomining, and remote control features. #PureLogs #PureCoder #Alibaba2044 #BlueLoader #PureMiner #PureHVNC #PureCrypter

Keypoints

  • The threat actor Alibaba2044 uses PureLogs information stealer and PureCoder ecosystem to offer malware products via darkweb forums.
  • The campaign targeted Italians through a malicious spam email delivering a password‑protected ZIP leading to a cab file that drops a .NET executable.
  • PureLogs steals browser data, crypto wallets, and various applications, with a one-year subscription priced at $99.
  • PureCrypter distributes multiple RATs and info stealer modules, bundled with obfuscation and protection to hinder detection, priced at $59/month.
  • Other tools offered include PureMiner (a stealth miner), BlueLoader (botnet with DDoS and bot elimination), and PureHVNC (hidden HVNC control) with subscription pricing.
  • TA posts about these tools on cybercrime forums to attract customers and expand their campaigns beyond PureLogs/PureCoder.
  • CRIL’s overview emphasizes the financial motive behind malware development and sale, urging vigilance and monitoring of surface, deep, and dark web threats.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The spam email links to a password-protected ZIP containing a cab file that, when opened, drops a malicious executable. ‘The spam email includes a link to download a password-protected zip file; the password is provided in the same email. The zip file contains a cabinet file disguised as a batch file, which holds a malicious executable.’
  • [T1204] User Execution – The target must open the batch/cab file for the malware to start running. ‘Once the target opens the batch file, the malware will start running on their machine.’
  • [T1140] Deobfuscate/Decode Files or Information – The PureCrypter obfuscation/packing approach is used to hinder detection. ‘obfuscated with SmartAssembly, that is further protected with compression, encryption, and obfuscation to make it difficult to detect.’
  • [T1562.001] Impair Defenses – Obfuscation/packing used to hinder defenses. ‘obfuscated with SmartAssembly, that is further protected with compression, encryption, and obfuscation to make it difficult to detect.’
  • [T1082] System Information Discovery – The malware targets and exfiltrates data from the system (browsers, wallets, apps). ‘PureLogs is designed to steal browser data, crypto wallets, and various applications…’
  • [T1083] File and Directory Discovery – The campaign involves enumerating and targeting data stored in applications and files (wallets, browsers, etc.). ‘The data targeted by PureLogs’ table lists various data types from installed software.
  • [T1119] Automated Collection – Automated collection of data from the local system (browsers, wallets, apps). ‘steal browser data, crypto wallets, and various applications’.
  • [T1005] Data from Local System – Local data collection from the host (browsers, wallets, etc.). ‘data targeted by PureLogs’ and the listed data categories.
  • [T1071] Application Layer Protocol – C2/ops communications via application-layer protocols (context: PUA family communications and post content on forums to attract buyers). ‘The TA developing this malware have also posted the tool information in the cybercrime forums to attract potential customers.’
  • [T1020] Automated Exfiltration – Exfiltration of stolen data (wallets, browser data, etc.) from the infected host to C2 or attacker infrastructure. ‘The malware is designed to steal browser data, crypto wallets, and various applications’ (implies exfiltration of stolen data).

Indicators of Compromise

  • [FileName] DOC9848-14-12-2022.zip – observed as the initial dropper payload in the phishing chain. DOC9848-14-12-2022.zip, DOC9848_pdf.bat, x.exe, and Ixqwqtt.dll
  • [MD5] DOC9848-14-12-2022.zip – 5e5276abac4f39ed674c8783d12212dc, 743ea515bb5bab8929c6d280a3d0feaa, and 2 more hashes
  • [SHA1] DOC9848-14-12-2022.zip – c055b968ae48bd35342a4aebfe6195e67529d84e, 58326656b86f43fdaa65b5493da1cb13e7cf6a2d, and 2 more hashes
  • [SHA256] DOC9848-14-12-2022.zip – c59559275fb8af4bbc59d47c267a94fbe44151e40a8606414d1b1f76a99852b1, 887cabc0d136a86a6be444883b62c90d073fd1f839896840233150475bd149c8, and 2 more hashes
  • [FileName] DOC9848_pdf.bat – md5 743ea515bb5bab8929c6d280a3d0feaa (example), sha1 58326656b86f43fdaa65b5493da1cb13e7cf6a2d (example), sha256 887cabc0d136a86a6be444883b62c90d073fd1f839896840233150475bd149c8 (example)

Read more: https://blog.cyble.com/2022/12/27/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint