Menlo Labs has uncovered an unknown threat actor that’s leveraging an evasive threat campaign distributed via Discord that features the PureCrypter downloader and targets government entities. The PureCrypter campaign uses the domain of a compromised non-profit organization as a Command and Control (C2) to deliver a secondary payload. The campaign was found to have delivered several types of malware including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware. Our investigation started when Menlo’s Cloud Security Platform blocked password-protected archive files across multiple government customers in the Asia-Pacific (APAC) and North America regions.
Menlo Labs assesses that this threat actor group will continue to use the compromised and taken infrastructure as long as they can, before needing to find a new home. Leaving credentials in malware is an OpSec failure but it leaves a trace for analysts to follow. Fortunately in this case, Menlo’s Cloud Security Platform blocked this attack, which allowed Menlo Labs to see it and start to track this actor.
Threat analysis showed that PureCrypter is downloading a secondary malware, believed to be AgentTesla.
PureCrypter is an advanced downloader which downloads Remote Access Trojans (RATs) and Infostealers. It has been sold since March 2021 on“hxxps[://]purecoder.sellix.io/.” AgentTesla is an advanced backdoor with capabilities including stealing stored passwords from different browsers, clipboard logging, screen keylogging and screen capturing. It is written in .net and supports all versions of Windows operating system.
In our investigation, we found that AgentTesla establishes a connection to an FTP server where it stores the stolen victim’s credentials. The FTP server appears to have been taken over and the leaked credentials for the domain were found online, thus suggesting that the threat actors used these credentials to gain access to the server.
It's also noteworthy that the download link for the secondary malware is from a compromised domain of a non-profit organization whose leaked credentials were also found online.
A similar sample to theAgentTesla malware we analyzed was discovered in a phishing email with the subject "FW: New Order no. 5959" from Alejandro Gonzalo (e052450f2@891f4e7e1668[.]com). The malicious attachment was named "Nuevo pedido 7887979-800898.gz" and contained FTP server credentials that were the same as those found in the first case.
Under that same email address, another malicious email titled "New Order" was also uncovered with an attached file called "Ppurchase order6007979-709797790.gz". This one also used the same FTP server – ftp[://]ftp.mgcpakistan[.]com – as part of its infection process!
The FTP server (ftp[://]ftp.mgcpakistan[.]com) was also seen in a campaign using OneNote to deliver malware. Attackers have been sending phishing emails with links to malicious OneNote files that can download additional malware or steal information from the victim's device. Altogether, the Labs team found 106 files using said FTP server.
In this campaign, Discord was used to host the payload, and a link to the payload is sent via email. To evade existing defenses, PureCrypter uses password protected ZIP files. Below is a screenshot that shows the poor detection of these password-protected payloads on VT.
The following steps were taken by the attacker to deliver the payload:
While we were not able to download the second stage payload from the PureCrypter sample mentioned above (md5 - 5420DCBAE4F1FBA8AFE85CB03DCD9BFC), we were able to identify similar samples which were seen downloading malicious payloads from the compromised non-profit organization. Upon further investigation, we determined that this was AgentTesla and was communicating to an FTP server located in Pakistan (as mentioned in the intel section above). The technical analysis below is for the new sample md5 -C3B90A10922EEF6D635C6C786F29A5D0).
This downloaded binary is packed to evade initial detection. It contains the AgentTesla payload which is encrypted in the resource section using DES Algorithm as shown in the below screenshot.
The des.IV and des.Key of the encrypted payload is shown in the below screenshot.
AgentTesla uses a process hollowing technique to inject its payload (Md5 - BCF031AB2B43DC382B365BA3DF9F09BC) into cvtres.exe. This is a standard windows process that exists across all versions of Windows OS.
AgentTesla uses an XOR algorithm to encrypt its config file. The screenshot below shows the xor encoded config file.
Menlo Labs was able to decrypt the config file. The decrypted file is shown below.
The decrypted file contains the CnC details of the FTP server to which AgentTesla uploads the victim data.
AgentTesla uses FTP for data exfiltration. For FtpWebRequest it requires an FTP server path and credentials to send stolen data to the server shown in the screenshot below:
This screenshot shows how to get FtpWebRequest:
“*password*” - due to security reasons we are not putting the correct password here.
The Labs team will continue to monitor for an evolution in this threat actor activity. This threat actor doesn’t appear to be a major player in the threat landscape, but the targeting of government entities is surely a reason to watch out for them.
F34d5f2d4577ed6d9ceec516c1f5a744 (86 files)
61259b55b8912888e90f516ca08dc514 (10 files)
Of the 106 samples, over half shared the following MITRE Techniques: