Executive Summary
Menlo Labs has uncovered an unknown threat actor that’s leveraging an evasive threat campaign distributed via Discord that features the PureCrypter downloader and targets government entities. The PureCrypter campaign uses the domain of a compromised non-profit organization as a Command and Control (C2) to deliver a secondary payload. The campaign was found to have delivered several types of malware including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware. Our investigation started when Menlo’s Cloud Security Platform blocked password-protected archive files across multiple government customers in the Asia-Pacific (APAC) and North America regions.
Menlo Labs assesses that this threat actor group will continue to use the compromised and taken infrastructure as long as they can, before needing to find a new home. Leaving credentials in malware is an OpSec failure but it leaves a trace for analysts to follow. Fortunately in this case, Menlo’s Cloud Security Platform blocked this attack, which allowed Menlo Labs to see it and start to track this actor.
Infection Chain
Threat Intelligence
Threat analysis showed that PureCrypter is downloading a secondary malware, believed to be AgentTesla.
PureCrypter is an advanced downloader which downloads Remote Access Trojans (RATs) and Infostealers. It has been sold since March 2021 on“hxxps[://]purecoder.sellix.io/.” AgentTesla is an advanced backdoor with capabilities including stealing stored passwords from different browsers, clipboard logging, screen keylogging and screen capturing. It is written in .net and supports all versions of Windows operating system.
In our investigation, we found that AgentTesla establishes a connection to an FTP server where it stores the stolen victim’s credentials. The FTP server appears to have been taken over and the leaked credentials for the domain were found online, thus suggesting that the threat actors used these credentials to gain access to the server.
It's also noteworthy that the download link for the secondary malware is from a compromised domain of a non-profit organization whose leaked credentials were also found online.
A similar sample to theAgentTesla malware we analyzed was discovered in a phishing email with the subject "FW: New Order no. 5959" from Alejandro Gonzalo (e052450f2@891f4e7e1668[.]com). The malicious attachment was named "Nuevo pedido 7887979-800898.gz" and contained FTP server credentials that were the same as those found in the first case.
Under that same email address, another malicious email titled "New Order" was also uncovered with an attached file called "Ppurchase order6007979-709797790.gz". This one also used the same FTP server – ftp[://]ftp.mgcpakistan[.]com – as part of its infection process!
The FTP server (ftp[://]ftp.mgcpakistan[.]com) was also seen in a campaign using OneNote to deliver malware. Attackers have been sending phishing emails with links to malicious OneNote files that can download additional malware or steal information from the victim's device. Altogether, the Labs team found 106 files using said FTP server.
Infection Vector/Technical Details
In this campaign, Discord was used to host the payload, and a link to the payload is sent via email. To evade existing defenses, PureCrypter uses password protected ZIP files. Below is a screenshot that shows the poor detection of these password-protected payloads on VT.
The following steps were taken by the attacker to deliver the payload:
- An email with Discord app url pointing to malicious password protected zip file is sent to the victim (https://cdn[.]discordapp.com/attachments/1006638283645784218/1048923462128914512/Private_file__dont_share.zip, pwd - 1234, md5- 967f9bc90202925e1f941c8ea1db2c94)
- The ZIP extracts a loader written in .net called PureCrypter (md5 - 5420DCBAE4F1FBA8AFE85CB03DCD9BFC). The loader tries to download a secondary payload from the compromised non-profit organization shown in the below screenshot. At the time of investigation the compromised non-profit organization’s website was down and we didn’t get its secondary payload.
While we were not able to download the second stage payload from the PureCrypter sample mentioned above (md5 - 5420DCBAE4F1FBA8AFE85CB03DCD9BFC), we were able to identify similar samples which were seen downloading malicious payloads from the compromised non-profit organization. Upon further investigation, we determined that this was AgentTesla and was communicating to an FTP server located in Pakistan (as mentioned in the intel section above). The technical analysis below is for the new sample md5 -C3B90A10922EEF6D635C6C786F29A5D0).
This downloaded binary is packed to evade initial detection. It contains the AgentTesla payload which is encrypted in the resource section using DES Algorithm as shown in the below screenshot.
The des.IV and des.Key of the encrypted payload is shown in the below screenshot.
AgentTesla uses a process hollowing technique to inject its payload (Md5 - BCF031AB2B43DC382B365BA3DF9F09BC) into cvtres.exe. This is a standard windows process that exists across all versions of Windows OS.
AgentTesla uses an XOR algorithm to encrypt its config file. The screenshot below shows the xor encoded config file.
Menlo Labs was able to decrypt the config file. The decrypted file is shown below.
The decrypted file contains the CnC details of the FTP server to which AgentTesla uploads the victim data.
Network Communication
AgentTesla uses FTP for data exfiltration. For FtpWebRequest it requires an FTP server path and credentials to send stolen data to the server shown in the screenshot below:
This screenshot shows how to get FtpWebRequest:
“ddd@mgcpakistan[.]com”
Password
“*password*” - due to security reasons we are not putting the correct password here.
Conclusion
The Labs team will continue to monitor for an evolution in this threat actor activity. This threat actor doesn’t appear to be a major player in the threat landscape, but the targeting of government entities is surely a reason to watch out for them.
IOCS
FTP
“ftp://ftp[.]mgcpakistan[.]com/”
Username: “ddd@mgcpakistan[.]com”
HTTP
cents-ability.org
be18d4fc15b51daedc3165112dad779e17389793fe0515d62bbcf00def2c3c2d
5732b89d931b84467ac9f149b2d60f3aee679a5f6472d6b4701202ab2cd80e99
Malware
a7c006a79a6ded6b1cb39a71183123dcaaaa21ea2684a8f199f27e16fcb30e8e
5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d
f950d207d33507345beeb3605c4e0adfa6b274e67f59db10bd08b91c96e8f5ad
397b94a80b17e7fbf78585532874aba349f194f84f723bd4adc79542d90efed3
7a5b8b448e7d4fa5edc94dcb66b1493adad87b62291be4ddcbd61fb4f25346a8
efc0b3bfcec19ef704697bf0c4fd4f1cfb091dbfee9c7bf456fac02bcffcfedf
C846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331
Imphash shared by 106 FTP files:
F34d5f2d4577ed6d9ceec516c1f5a744 (86 files)
61259b55b8912888e90f516ca08dc514 (10 files)
Reg key 82 of the 106 FTP files opened:
HKLM\Software\Microsoft\Fusion\LoggingLevel
Of the 106 samples, over half shared the following MITRE Techniques:
- Execution TA0002
- Windows Management Instrumentation T1047
- Privilege Escalation TA0004
- Process Injection T1055
- Defense Evasion TA0005
- Disable or Modify Tools T1562.001
- Virtualization/Sandbox Evasion T1497
- Process Injection T1055
- Obfuscated Files or Information T1027
- Software Packing T1027.002
- Masquerading T1036
- Credential Access TA0006
- OS Credential Dumping T1003
- Discovery TA0007
- System Information Discovery T1082
- Security Software Discovery T1518.001
- Virtualization/Sandbox Evasion T1497
- Application Window Discovery T1010
- Process Discovery T1057
- Collection TA0009
- Data from Local System T1005
- Command and Control TA0011
- Non-Application Layer Protocol T1095
- Application Layer Protocol T1071