Cybersecurity scientists have in depth the workings of a absolutely-highlighted malware loader dubbed PureCrypter that’s becoming procured by cyber criminals to supply distant access trojans (RATs) and info stealers.
“The loader is a .NET executable obfuscated with SmartAssembly and helps make use of compression, encryption, and obfuscation to evade antivirus program merchandise,” Zscaler’s Romain Dumont said in a new report.
Some of the malware family members distributed using PureCrypter incorporate Agent Tesla, Arkei, AsyncRAT, AZORult, DarkCrystal RAT (DCRat), LokiBot, NanoCore, RedLine Stealer, Remcos, Snake Keylogger, and Warzone RAT.
Sold for a price of $59 by its developer named “PureCoder” for a a person-month plan (and $249 for a one particular-off life span buy) because at least March 2021, PureCrypter is marketed as the “only crypter in the current market that utilizes offline and on the web shipping approach.”
Crypters act as the 1st layer of protection from reverse engineering and are usually employed to pack the destructive payload. PureCrypter also characteristics what it states is an advanced system to inject the embedded malware into indigenous procedures and a range of configurable alternatives to achieve persistence on startup and flip on extra possibilities to fly less than the radar.
Also provided is a Microsoft Business macro builder and a downloader, highlighting the potential original an infection routes that can be utilized to propagate the malware.
Interestingly, although PureCoder will make it a place to notice that the “computer software was made for educational reasons only,” its terms of assistance (ToS) forbids prospective buyers from uploading the resource to malware scanning databases this sort of as VirusTotal, Jotti, and MetaDefender.
“You are not allowed to scan the crypted file, as the crypter itself has a constructed-in scanner,” the ToS further more states.
In a person sample analyzed by Zscaler, a disk image file (.IMG) was located to contain a initial-phase downloader that, in flip, retrieves and runs a second-stage module from a remote server, which subsequently injects the final malware payload inside of other processes like MSBuild.
PureCryter also provides a range of noteworthy features that allows it to eliminate by itself from the compromised device and report the infection standing to the author by way of Discord and Telegram.
Found this article attention-grabbing? Observe THN on Fb, Twitter and LinkedIn to read through additional unique material we put up.
Some parts of this article are sourced from:
thehackernews.com