Governments Under Attack: Examining a New PureCrypter Campaign

Written by

Governments are bearing the brunt of a new wave of cybercrime. 

While traditionally, we’ve seen the private sector suffering the most from malicious activities as threat actors execute attacks specifically designed for financial extortion, public sector agencies are now coming under growing fire from cyber-criminals with ulterior motives. 

In the past year, state-sponsored threat actors have risen to the fore, largely due to heightened tensions in the international arena that have stemmed from the Russian invasion of Ukraine.

Critically, the motivations of state-sponsored adversaries are usually different to those targeting the private sector. Rather than seeking monetary gain, their goals are generally more nuanced, seeking to disrupt essential public services, steal state secrets, spread disinformation and/or invoke national embarrassment. 

Research from Q3 of 2022 suggests that the government/military is now the second most targeted industry, with this vertical said to be facing 1564 incidents every week – an increase of 20% over the same period in 2021. 

Analysing PureCrypter Distribution via Discord URLs

This shift towards public sector agencies has been evident in several campaigns we have been tracking. And our Menlo Labs team have recently identified one threat actor using evasive attack methods specifically targeting government entities.

This specific example has involved PureCrypter – a malware loader typically used to deploy remote access trojans and information stealers. 

While PureCrypter has been a known threat since March 2021, its capabilities have continued evolving and advancing. Indeed, in June 2022, the New Jersey Cybersecurity & Communications Integration Cell reported that operators had actively been developing the loader’s capabilities to ensure it could evade anti-virus software, for example. 

Our cloud security platform blocked password-protected archive files targeting several of our government customers based in North America and Asia Pacific during this campaign. 

We have seen that the threat actors are now looking to distribute their specific malware using the popular messaging application Discord via URLs that, in turn, point to the malicious password-protected ZIP files.

It is these ZIP files that are used to execute the PureCrypter loader. However, digging deeper, we then found that the loader would subsequently attempt to download a secondary payload via a compromised non-profit organization’s domain, which had been exploited as a Command and Control (C2). 

At the point of the Menlo Labs team investigation, the compromised non-profit organization’s website had already been taken down, meaning we could not retrieve this second payload for analysis. However, we found that the organization’s domain credentials had been leaked online, suggesting that the threat actors will likely keep using different compromised infrastructure, hopping between them as needed to execute attacks.

Equally, we were also able to find similar incident samples where malicious payloads had previously been downloaded from the targeted non-profit. In these instances, PureCrypter had delivered several types of malware, from Redline Stealer, AgentTesla and Eternity to Blackmoon and the Philadelphia Ransomware.

A Plethora of Threat Attempts

In this latest instance, we were able to determine the presence of AgentTesla – an advanced backdoor used for malicious activities such as clipboard logging, screen keylogging and screen capturing, as well as stealing passwords stored in browsers.

Typically, AgentTelsa will execute by injecting its payload via a process hollowing technique before using an XOR algorithm to encrypt its configuration file. We were able to decrypt the file and conduct technical analysis, finding that the malware was encrypted in the resource section of a download using the data encryption standard (DES) algorithm in the process.

We also discovered that the downloaded binary had been packed to evade initial detection. Further, once executed, the malware would exfiltrate stolen credentials to a Pakistan-based FTP server.

This particular infection chain was found to have similarities with 106 other attacks we have explored. In one example, we uncovered the use of a malicious attachment in a phishing campaign containing the same FTP server credentials as the PureCrypter campaign. This FTP server was also used in another surfaced campaign that was identified as using OneNote to deliver malware.

While the threat actor behind these campaigns does not appear to be a major player, it is evidence of a more concerning trend – that government entities are increasingly entering the line of sight of cyber-criminals.

It is a big concern. Government entities hold incredibly sensitive information, from national secrets and highly classified assets to personally identifiable information (PII). They are also responsible for the success of vital social services and the functioning of critical national infrastructure.

Given the uptick in threats, it is more important than ever for government agencies to ensure adequate protection methods, embracing modern solutions capable of combatting modern threats.

What’s hot on Infosecurity Magazine?