Threat Research

PureCrypter is busy pumping out various malicious malware families

Securonix

PureCrypter is a MaaS-type loader that promotes and downloads other malware families through a two-part downloader/injector architecture, leveraging hundreds of C2s to sustain distribution. It employs image-based masquerading, multiple encoding/encryption schemes, and layered propagation techniques to spread payloads such as Mars Stealer, AgentTesla, RedLine, and others across a long, multi-stage chain. #PureCrypter #MarsStealer #AgentTesla #RedLine #Formbook #SnakeKeylogger #AsyncRAT #Raccoon

Keypoints

  • PureCrypter is a MaaS-type loader written in C# that can propagate multiple malware families.
  • Active in 2022, it has promoted more than 10 different malware families including Formbook, SnakeKeylogger, AgentTesla, Redline, AsyncRAT, among others.
  • Authors appear resourceful, maintaining hundreds of C2 domains and IPs and a long propagation chain.
  • It uses image name suffixes with inversion, compression, and encryption to evade detection.
  • The propagation chain often uses pre-protectors and mixes with other loaders, complicating detection.
  • Downloader+injector architecture, with downloader propagating the injector which then releases and runs the final payload.
  • Typical propagation methods include bat2exe, VBS, and PowerShell loaders, and campaigns have spread Raccoon to further disseminate Azorult, Remcos, PureMiner, and PureClipper.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The downloader directly calls WebClient’s DownloadData for HTTP downloads. “This module directly calls WebClient’s DownloadData method for HTTP downloads, without setting any HTTP headers.”
  • [T1027] Obfuscated/Compressed Files and Information – PureCrypter uses image name suffixes combined with inversion, compression and encryption to avoid detection. “PureCrypter uses the image name suffixes combined with inversion, compression and encryption to avoid detection.”
  • [T1036] Masquerading – PureCrypter disguises the injector as an image for downloading. “PureCrypter likes to disguise the injector as an image for downloading, the image name is relatively random…”
  • [T1055] Process Injection – The injector performs final payload injection, with Process Hollowing noted as the most frequently used method. “Process Hollowing is the most frequently used one.”
  • [T1059.001] PowerShell – Propagation uses PowerShell scripts to deliver components; “The entry can be either a VBS script or a Powershell script” and “Powershell decodes a base64-encoded VBS loader.”
  • [T1059.005] Visual Basic – VBS-based loader used to propagate downloader; “VBS loader further releases a downloader and runs the latter via shellcode.”

Indicators of Compromise

  • [MD5] – Example hashes for related downloaders: 424ed5bcaae063a7724c49cdd93138f5, 3f20e08daaf34b563227c797b4574743, and 2 more hashes
  • [URL] – Command-and-control domains and a Discord distribution link observed: agenttt.ac.ug, raphaellasia.com, and other domains, and 2 more items (Discord: https://cdn.discordapp.com/attachments/994652587494232125/1004377750762704896/ps1-6_Hjuvcier.png)
  • [IP] – C2-related IPs observed: 185.215.113.89, 62.204.41.69, and 5 more IPs
  • [URL] – Discord distribution URL used for injector delivery: https://cdn.discordapp.com/attachments/994652587494232125/1004377750762704896/ps1-6_Hjuvcier.png

Read more: https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/