Contents:
A threat actor has been spotted delivering several information stealers and ransomware strains to government organizations via the PureCrypter malware downloader.
According to researchers from Menlo Security, the threat actor used Discord to host the initial payload and exploited a non-profit organization to store additional hosts used in the campaign.
Menlo Labs has uncovered an unknown threat actor that’s leveraging an evasive threat campaign distributed via Discord that features the PureCrypter downloader and targets government entities.
The campaign was found to have delivered several types of malware including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware.
Several government organizations in the Asia-Pacific (APAC) and North American regions were reportedly targeted by the PureCrypter campaign.
Infection Chain
The attack starts with an email that contains a Discord app Link that leads to a PureCrypter sample in a password-protected ZIP archive.
PureCrypter is a.NET-based malware downloader that was first discovered in the wild in March 2021. Its operator rents it out to other cybercriminals to deliver various forms of malware.
When run, it delivers the next-stage payload from a command and control server, which in this case is the compromised server of a non-profit organization.
The sample that the researchers at Menlo Security investigated was AgentTesla. When run, the malware establishes a connection to a Pakistan-based FTP server, which is used to receive the stolen data.
The researchers discovered that threat actors used leaked credentials to take control of a specific FTP server rather than setting up their own in order to avoid detection risks and hide their trace.
AgentTesla Malware
AgentTesla is a family of .NET malware that hackers have been using for the past eight years. Its popularity was at its highest in late 2020, explains Bleeping Computer.
AgentTesla has been around for a while, but a recent analysis by Cofense shows that despite its age, it is still a profitable and powerful backdoor that has been constantly updated and improved.
Cofense Intelligence estimates that in 2022, AgentTesla was responsible for 30% of all keylogger reports. The following features are a few of what the malware is capable of:
- Log the victim’s keystrokes to capture sensitive information such as passwords.
- Steal passwords saved in web browsers, email clients, or FTP clients.
- Capture screenshots of the desktop that could reveal confidential information.
- Intercept data that is copied to the clipboard, including texts, passwords, and credit card details.
- Exfiltrate stolen data to the C2 via FTP or SMTP.
Menlo Labs revealed that the threat actors exploited process hollowing to inject the AgentTesla payload into a legitimate process (“cvtres.exe”) in order to avoid detection by antivirus solutions. Furthermore, to protect its communications with the C2 server, as well as its configuration files, AgentTesla employs XOR encryption.
Menlo Security says that the threat actor behind the PureCrypter campaign is not a large one, but its targeting of government organisations makes it worthwhile to follow its behavior.
The complete analysis from Menlo Labs is available here.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.