Government entities in Asia-Pacific and North America are being targeted by an unknown threat actor with an off-the-shelf malware downloader known as PureCrypter to deliver an array of information stealers and ransomware.
“The PureCrypter campaign uses the domain of a compromised non-profit organization as a command-and-control (C2) to deliver a secondary payload,” Menlo Security researcher Abhay Yadav said.
First documented in June 2022, PureCrypter is advertised for sale by its author for $59 for one-month access (or $245 for a one-off lifetime purchase) and is capable of distributing a multitude of malware.
In December 2022, PureCoder – the developer behind the program – expanded the slate of offerings to include a logger and information stealer known as PureLogs, which is designed to siphon data from web browsers, crypto wallets, and email clients. It costs $99 a year (or $199 for lifetime access).
The infection sequence detailed by Menlo Security commences with a phishing email containing a Discord URL that points to the first-stage component, a password-protected ZIP archive that, in turn, loads the PureCrypter malware.
The loader, for its part, reaches out to the website of the breached non-profit entity to fetch the secondary payload, which is a .NET-based keylogger named Agent Tesla.
The backdoor then establishes a connection to an FTP server located in Pakistan to exfiltrate the harvested data, indicating that compromised credentials may have been used to perform the activity.