Cybercrime , Fraud Management & Cybercrime

PureCrypter Targets North America, APAC Government Agencies

Hackers Uses Same FTP Server as Earlier OneNote Phishing Campaign
PureCrypter Targets North America, APAC Government Agencies

A hacking campaign targeting government entities in the Asia-Pacific and North America regions with an info stealer hosted on a Discord server shares infrastructure with an earlier campaign that used Microsoft OneNote files to deliver malware.

See Also: Federal Capability Statement: Deception-Powered Cybersecurity Solutions for Government

Researchers at Menlo Security spotted an unknown threat actor that they say doesn't appear to be a major player but that bears watching for its pursuit of government entities.

Hackers behind the campaign use email to coax would-be victims into downloading the PureCrypter malware downloader by clicking on a link leading to a Discord server. The downloader retails online for $59 and uses obfuscation techniques to evade detection by antivirus, Zscaler wrote in a 2022 blog post.

When Menlo Security researchers attempted to follow the PureCrypter link to obtain the secondary payload, they couldn't, since the link led to a compromised web domain that, at the time, appeared to be down.

Other samples taken from the campaign showed the download to be AgentTesla, an info stealer that first appeared in 2014. Its usage has soared since late 2020, cybersecurity company Cofense recently wrote.

The campaign has also used PureCrypter to download the Redline Stealer, Eternity, Blackmoon and Philadelphia ransomware.

The Agent Tesla downloader used stolen credentials to an FTP server apparently belonging to a Pakistani toothpaste company. The same FTP server was part of a campaign identified by Proofpoint that delivered malware using files formatted for OneNote, the note-taking app Microsoft bundles into its Office suite (see: Microsoft OneNote Is Latest Malware Vector).

Menlo Security was able to log onto the FTP server because it found a hard-coded password in the malware it analyzed.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.