Cybercrime , Fraud Management & Cybercrime
PureCrypter Targets North America, APAC Government AgenciesHackers Uses Same FTP Server as Earlier OneNote Phishing Campaign
A hacking campaign targeting government entities in the Asia-Pacific and North America regions with an info stealer hosted on a Discord server shares infrastructure with an earlier campaign that used Microsoft OneNote files to deliver malware.
See Also: OnDemand | Understanding Human Behavior: Tackling Retail's ATO & Fraud Prevention Challenge
Researchers at Menlo Security spotted an unknown threat actor that they say doesn't appear to be a major player but that bears watching for its pursuit of government entities.
Hackers behind the campaign use email to coax would-be victims into downloading the PureCrypter malware downloader by clicking on a link leading to a Discord server. The downloader retails online for $59 and uses obfuscation techniques to evade detection by antivirus, Zscaler wrote in a 2022 blog post.
When Menlo Security researchers attempted to follow the PureCrypter link to obtain the secondary payload, they couldn't, since the link led to a compromised web domain that, at the time, appeared to be down.
Other samples taken from the campaign showed the download to be AgentTesla, an info stealer that first appeared in 2014. Its usage has soared since late 2020, cybersecurity company Cofense recently wrote.
The campaign has also used PureCrypter to download the Redline Stealer, Eternity, Blackmoon and Philadelphia ransomware.
The Agent Tesla downloader used stolen credentials to an FTP server apparently belonging to a Pakistani toothpaste company. The same FTP server was part of a campaign identified by Proofpoint that delivered malware using files formatted for OneNote, the note-taking app Microsoft bundles into its Office suite (see: Microsoft OneNote Is Latest Malware Vector).
Menlo Security was able to log onto the FTP server because it found a hard-coded password in the malware it analyzed.