A threat actor has targeted government entities with the PureCrypter malware downloader which has been seen delivering several infostealers and ransomware strains.

Menlo Security researchers discovered that the malicious actor used Discord to host the initial payload and compromised a nonprofit organization to store additional hosts used in the campaign.

“The campaign was found to have delivered multiple types of malware, including Redline Stealer, AgentTesla, Eternity, Blackmoon, and Philadelphia Ransomware,” said the say the researchers.

According to the researchers, the observed PureCrypter campaign targeted several government organizations in the Asia-Pacific (APAC) and North America regions.

attack chain

The attack begins with an email containing a Discord app URL pointing to a PureCrypter sample in a password-protected ZIP archive.

PureCrypter is a .NET-based malware downloader first seen in the wild in March 2021. Its operator rents it to other cyber criminals to distribute various types of malware.

Once executed, it delivers the next stage payload from a command and control server, which is the compromised server of a non-profit organization in this case.

The sample that Menlo Security researchers analyzed was AgentTesla. Once launched, it establishes a connection to a Pakistan-based FTP server which is used to receive the stolen data.

Researchers found that threat actors used leaked credentials to take control of the particular FTP server rather than configuring it, to reduce identification risks and minimize their trail.

AgentTesla still in use

AgentTesla is a .NET malware family that has been used by cybercriminals for eight years. Its use peaks in late 2020 and early 2021.

A recent Cofense report points out that despite its age, AgentTesla remains a cost-effective, high-performance backdoor that has undergone continuous development and improvement over the years.

AgentTesla’s keylogging activity accounted for approximately one-third of all keylogging reports recorded by Cofense Intelligence in 2022.

The malware’s capabilities include the following:

• Log victim keystrokes to capture sensitive information such as passwords.
• Steal passwords saved in web browsers, email clients or FTP clients.
• Capture desktop screenshots that may reveal confidential information.
• Intercept data copied to the clipboard, including texts, passwords and credit card details.
• Exfiltrate stolen data to C2 via FTP or SMTP.

In attacks investigated by Menlo Labs, threat actors were found to use process mining to inject the AgentTesla payload into a legitimate process (“cvtres.exe”) to evade detection by antivirus tools .

Additionally, AgentTesla uses XOR encryption to protect its communications with the C2 server, such as its configuration files, network traffic monitoring tools.

Menlo Security believes that the threat actor behind the PureCrypter campaign is not a major one, but its activity is worth monitoring due to the targeting of government entities.

It is likely that the attacker will continue to use the compromised infrastructure for as long as possible before being forced to find a new one.