BTC $57054.0562
ETH $3243.0497
BNB $394.9600
SOL $108.4177
XRP $0.5865
stETH $3239.3493
ADA $0.6239
AVAX $39.2702
DOGE $0.0977
TRX $0.1428
wstETH $3750.7519
DOT $8.3691
LINK $19.0300
WETH $3348.6813
MATIC $1.0282
UNI $10.8579
WBTC $56903.9273
IMX $3.3452
ICP $13.0217
BCH $292.5040
LTC $74.0124
CAKE $3.1570
ETC $28.0992
LEO $4.3640
FIL $7.6578
KAS $0.1689
RNDR $7.2011
DAI $1.0000
ATOM $11.2097
HBAR $0.1082
INJ $40.1071
VET $0.0489
TON $2.1280
OKB $51.4855
FDUSD $0.9985
LDO $3.4670
STX $2.9465
XMR $135.8398
XLM $0.1230
ARB $1.8948
NEAR $3.9608
TIA $17.0031
WEMIX $2.3756
GRT $0.2795
ENS $22.1963
MKR $2154.9330
APEX $2.3329
BTC $57054.0562
ETH $3243.0497
BNB $394.9600
SOL $108.4177
XRP $0.5865
stETH $3239.3493
ADA $0.6239
AVAX $39.2702
DOGE $0.0977
TRX $0.1428
wstETH $3750.7519
DOT $8.3691
LINK $19.0300
WETH $3348.6813
MATIC $1.0282
UNI $10.8579
WBTC $56903.9273
IMX $3.3452
ICP $13.0217
BCH $292.5040
LTC $74.0124
CAKE $3.1570
ETC $28.0992
LEO $4.3640
FIL $7.6578
KAS $0.1689
RNDR $7.2011
DAI $1.0000
ATOM $11.2097
HBAR $0.1082
INJ $40.1071
VET $0.0489
TON $2.1280
OKB $51.4855
FDUSD $0.9985
LDO $3.4670
STX $2.9465
XMR $135.8398
XLM $0.1230
ARB $1.8948
NEAR $3.9608
TIA $17.0031
WEMIX $2.3756
GRT $0.2795
ENS $22.1963
MKR $2154.9330
APEX $2.3329
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • PureCrypter malware attacks government organizations with ransomware and information thieves

    Researchers from Menlo Security recently discovered that unknown attackers have carried out a series of attacks on government agencies in the Asia-Pacific region and North America. The PureCrypter malware used in these attacks is capable of delivering several types of ransomware and information thieves to the victim's computer at once.

    “The malware campaign delivered several types of malware, including Redline Stealer, AgentTesla, Eternity, Blackmoon, and Philadelphia Ransomware,” the researchers said.

    PureCrypter is a .NET-based malware loader that first went public in March 2021. Its operator leases the bootloader to other cybercriminals to distribute various types of malware.

    When activated, PureCrypter delivers a payload from a C2 server, which in the last reported attack was a compromised server of an unnamed non-profit organization.

    The sample the Menlo Security researchers analyzed is called AgentTesla. When launched, it establishes a connection to a Pakistani FTP server, which is used to store the stolen data.

    AgentTesla is a .NET malware family that has been used by cybercriminals for the past eight years. The peak of his "popularity" came at the end of 2020 - the beginning of 2021.

    A recent Cofense report highlights that despite its age, AgentTesla remains a cost-effective and high-performance backdoor that has been constantly developed and improved over the years. AgentTesla keylogger activity accounts for roughly a third of all keylogger reports registered by Cofense Intelligence in 2022.

    Malware capabilities include the following:

    • registration of keystrokes of the victim to collect confidential information;
    • stealing passwords stored in web browsers, email or FTP clients;
    • creating screenshots of the desktop;
    • interception of data from the clipboard;
    • exfiltrating stolen data to a C2 server via FTP or SMTP.

    In attacks studied by Menlo Security, it was found that hackers used a "process hollowing" technique to inject the AgentTesla payload into a legitimate process ("cvtres.exe") to avoid detection by antivirus tools. In addition, AgentTesla uses XOR encryption to secure communication with the C2 server.

    Menlo Security believes that the attackers behind the PureCrypter campaign aren't a big deal, but it's worth keeping an eye on their activities due to their focus on government agencies.

    It is likely that attackers will continue to use the compromised infrastructure for as long as possible before switching to a new one.

    Author DeepWeb
    To pay or not to pay - that is the question
    New framework for post-exploitation Exfiltrator-22 from the creators of LockBit

    Comments 0

    Add comment