September 30, 2023

Researchers have discovered an unknown threat group has been targeting government agencies in the Asia Pacific and North America regions via abuse of the popular Discord network and a hijacked website belonging to a non-profit.

The two-stage attacks include enticing victims to install the PureCrypter downloader, which then delivers a variety of possible malware payloads.

It is written in .Net and support all windows operating system, and the primary goal is to steal stored passwords from different browsers, clipboard logging, screen keylogging, and screen capturing.

Advertisements

PureCrypter campaign works by using the domain of a compromised non-profit organization as a command and control (C2) to deliver a secondary payload. This campaign delivered several types of malware, including Redline Stealer, Agent Tesla, Eternity, Blackmon, and Philadelphia ransomware.

The following steps were taken by the attacker to deliver the payload:

  • An email with the Discord app URL pointing to a malicious password-protected zip file is sent to the victim (https://cdn[.]discordapp. com/attachments/1006638283645784218/1048923462128914512/Private_file__dont_share.zip , pwd – 1234)
  • The ZIP extracts a loader written in .net called PureCrypter. The loader tries to download a secondary payload from the compromised non-profit organization shown in the below screenshot. At the time of investigation, the compromised non-profit organization’s website was down, and we didn’t get its secondary payload.

The researchers said that while leaving credentials in malware was an operational failure by the threat actor, it left a trace for analysts to follow. Hosting it on Discord is becoming a common TTP, and Discord responds quickly to malware takedown requests. Threat actors increasingly are using pay malware written and tested by third parties

Advertisements

This research was documented by researchers from Menlo Security

Indicators of Compromise

FTP

  • “ftp://ftp[.]mgcpakistan[.]com/”
  • Username: “ddd@mgcpakistan[.]com”

HTTP

  • cents-ability.org

email

  • be18d4fc15b51daedc3165112dad779e17389793fe0515d62bbcf00def2c3c2d
  • 5732b89d931b84467ac9f149b2d60f3aee679a5f6472d6b4701202ab2cd80e99

Malware

  • a7c006a79a6ded6b1cb39a71183123dcaaaa21ea2684a8f199f27e16fcb30e8e
  • 5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d
  • f950d207d33507345beeb3605c4e0adfa6b274e67f59db10bd08b91c96e8f5ad
  • 397b94a80b17e7fbf78585532874aba349f194f84f723bd4adc79542d90efed3
  • 7a5b8b448e7d4fa5edc94dcb66b1493adad87b62291be4ddcbd61fb4f25346a8
  • efc0b3bfcec19ef704697bf0c4fd4f1cfb091dbfee9c7bf456fac02bcffcfedf
  • C846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331

Leave a Reply

%d bloggers like this: