Latest PureCrypter campaign targets government organisations
Researchers at Menlo Security have discovered that a threat actor is targeting government agencies in the Asia-Pacific and North American regions with the PureCrypter malware downloader. The campaign has been seen delivering several types of malware, including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware.
The attack chain begins with an email containing a Discord app URL that points to a PureCrypter sample in a password-protected ZIP archive.
When executed, it delivers the next stage payload from a command and control server, which is the compromised server of a non-profit organisation. The observed PureCrypter campaign used leaked credentials to take control of the FTP server, rather than setting up its own, in order to reduce the risk of identification and minimise its trail.
The malware’s capabilities include the following:
-
Log the victim’s keystrokes to capture sensitive information such as passwords.
-
Steal passwords saved in web browsers, email clients, or FTP clients.
-
Capture screenshots of the desktop that could reveal confidential information.
-
Intercept data that is copied to the clipboard, including texts, passwords, and credit card details.
-
Exfiltrate stolen data to the C2 via FTP or SMTP.
Menlo Security researchers believe that the threat actor behind the PureCrypter campaign is not a major threat actor, but is worth monitoring due to its targeting of government entities.
Indicator of Compromise
| URL/SHA/MD5/Domain |
|---|
| ftp://ftp[.]mgcpakistan[.]com/ |
| cents-ability.org |
| be18d4fc15b51daedc3165112dad779e17389793fe0515d62bbcf00def2c3c2d |
| 5732b89d931b84467ac9f149b2d60f3aee679a5f6472d6b4701202ab2cd80e99 |
| a7c006a79a6ded6b1cb39a71183123dcaaaa21ea2684a8f199f27e16fcb30e8e |
| 5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d |
| f950d207d33507345beeb3605c4e0adfa6b274e67f59db10bd08b91c96e8f5ad |
| 397b94a80b17e7fbf78585532874aba349f194f84f723bd4adc79542d90efed3 |
| 7a5b8b448e7d4fa5edc94dcb66b1493adad87b62291be4ddcbd61fb4f25346a8 |
| efc0b3bfcec19ef704697bf0c4fd4f1cfb091dbfee9c7bf456fac02bcffcfedf |
| C846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331 |
| 14e4bfe2b41a8cf4b3ab724400629214 |
| f1c29ba01377c35e6f920f0aa626eaf5 |
| 5420dcbae4f1fba8afe85cb03dcd9bfc |
| 18e9cd6b282d626e47c2074783a2fa78 |
| 2499343e00b0855882284e37bf0fa327 |
| 0d8b1ad53fddacf2221409c1c1f3fd70 |
| 2499343e00b0855882284e37bf0fa327 |
| 0d8b1ad53fddacf2221409c1c1f3fd70 |
| 17f512e1a9f5e35ce5761dba6ccb09cb |
| b5c60625612fe650be3dcbe558db1bbc |
| a478540cda34b75688c4c6da4babf973 |
| 765f09987f0ea9a3797c82a1c3fced46 |
| bbd003bc5c9d50211645b028833bbeb2 |
| 71b4db69df677a2acd60896e11237146 |
| f4eebe921b734d563e539752be05931d |
| b4fd2d06ac3ea18077848c9e96a25142 |
| 1d3c8ca9c0d2d70c656f41f0ac0fe818 |
| 785bfaa6322450f1c7fe7f0bf260772d |
| 2fa290d07b56bde282073b955eae573e |
| d70bb6e2f03e5f456103b9d6e2dc2ee7 |
| 0ede257a56a6b1fbd2b1405568b44015 |
| fdd4cd11d278dab26c2c8551e006c4ed |
| dbcaa05d5ca47ff8c893f47ad9131b29 |
| c9ca95c2a07339edb13784c72f876a60 |
| c3b90a10922eef6d635c6c786f29a5d0 |
| 8ef7d7ec24fb7f6b994006e9f339d9af |
| f1c29ba01377c35e6f920f0aa626eaf5 |
| fa4ffa1f263f5fc67309569975611640 |
| 754920678bc60dabeb7c96bfb88273de |
| 2964ce62d3c776ba7cb68a48d6afb06e |
| 8503b56d9585b8c9e6333bb22c610b54 |
| eaaf20fdc4a07418b0c8e85a2e3c9b27 |
| b6c849fcdcda6c6d8367f159047d26c4 |
| de94d596cac180d348a4acdeeaaa9439 |
| 3f92847d032f4986026992893acf271e |
| ae158d61bed131bcfd7d6cecdccde79b |