Follow on X RSS Feed
Malware

From Stealers to Ransomware PureCrypter Delivers It All

Cybersec Sentinel

2 min read
From Stealers to Ransomware PureCrypter Delivers It All

Threat Group: - Unknown (Distributed by cybercriminals through various malware-as-a-service campaigns)
Threat Type: - Malware Loader
Exploited Vulnerabilities: - Primarily relies on phishing emails with malicious attachments or links
Malware Used: - PureCrypter
Threat Score: - High (8.2/10) – Due to its ability to deliver multiple malware strains and the sophistication of its obfuscation and persistence mechanisms
Last Threat Observation: - January 2025

Overview

PureCrypter is a malware loader that has been active since at least March 2021. It has been observed distributing various strains of malware, including information stealers, remote access trojans (RATs), ransomware, and keyloggers. Its flexible delivery methods and advanced evasion techniques make it a significant threat to organizations and individuals globally. In recent campaigns, PureCrypter has been used to deliver payloads such as Agent Tesla, Snake Keylogger, and a previously undocumented backdoor dubbed TorNet. Phishing emails have been the primary infection vector in these attacks

Key Details

Delivery Method:

  • Phishing emails with malicious attachments (e.g., .tgz files)
  • Malicious URLs embedded in emails

Target:

  • Users in Poland and Germany
  • Focus on Windows operating systems

Functions:

  • Loads and executes multiple malware payloads
  • Obfuscates payloads to bypass antivirus detection
  • Establishes persistence on the target system
  • Evades detection through advanced anti-analysis techniques
  • Collects and exfiltrates sensitive information

Obfuscation Techniques:

  • Code obfuscation and encryption
  • Anti-sandboxing and anti-debugging features
  • Use of unique identifiers to avoid reuse detection

Attack Vectors

PureCrypter leverages phishing campaigns as its primary delivery mechanism. Emails often contain malicious attachments (e.g., .tgz files) or URLs redirecting users to download the loader. Once executed, PureCrypter decrypts and deploys a malware payload onto the victim's device. It uses advanced anti-analysis techniques to evade detection during the execution process, including dynamic API loading, detecting virtualized environments, and disabling security tools on the host. In recent campaigns, PureCrypter has been observed delivering payloads such as Agent Tesla, Snake Keylogger, and the TorNet backdoor. These payloads allow attackers to gain remote access, steal credentials, and exfiltrate sensitive data from the victim's system.

Known Indicators of Compromise (IoCs)

Filehash (MD5)

  • 0f60f086665fd4d442821851c878c21b
  • 83999a2ce0109ea4adbecb3a96744e8c
  • a7c14a39a5ee93ca25ab793be06c1478
  • 491310d10c0ea2d217c90a2403c20bea

Filehash (SHA256)

  • 3acd90196dcf53dd6e265dc9c89b3cb0c47648a3b7ac8f226c6b4b98f39f2fc8
  • 5030bc30c14139d9c48dc4cd175de6c966e83a9059035d18af33dda06f2541ab
  • e5b27dc1672088a5a584467511a02844d45f4eb6af92a96373c803fd3dc5e6b7
  • a20f2623022bc0d5bdc49b235736cc791a3392198d7a601b2478c1974d5d9f17

Filehash (SHA1)

  • a4d4f31fb794bbf59be542f493aea9f9e3857d4
  • 4b94f4b23b157c7ae2df54e251cd4d22c683134d
  • c9eb61977fa0fd1bf1c9e7175a0088289e6b9bbd
  • 5bd371ae2edc0c2cf926e1543e4cdd7d92c83577

IP Addresses

  • 5[.]181.80.126
  • 91[.]92.240.95
  • 91[.]92.120.119

URLs

  • Http[x]://5.181.80.126/Hjysa.mp4

Domains

  • gator3220.hostgator[.]com
  • Teleturismo[.]it

Mitigation and Prevention

User Awareness:

  • Conduct regular training sessions to educate users on identifying phishing emails and malicious links.

Email Filtering:

  • Deploy advanced email security solutions with real-time scanning for malicious attachments and URLs.

Antivirus Protection:

  • Use endpoint detection and response (EDR) solutions to identify and neutralize malware loaders like PureCrypter.

Two-Factor Authentication (2FA):

  • Enforce 2FA across all systems to mitigate credential theft risks.

Monitor Logs:

  • Regularly review system and network logs for unusual activity.

Regular Updates:

  • Patch all software and operating systems to close vulnerabilities exploited by attackers.

Risk Assessment

PureCrypter poses a significant threat due to its ability to evade detection and deliver a variety of malware strains. Organizations that fail to implement proper endpoint protection and email security measures are at the highest risk. The malware’s reliance on social engineering tactics also highlights the need for robust user awareness training.

Conclusion

PureCrypter's advanced evasion techniques and flexibility make it a preferred choice among cybercriminals. It serves as a reminder of the ever-evolving nature of cyber threats and the importance of a multi-layered security approach. Organizations are advised to prioritize endpoint security

Sources

  1. BleepingComputer - PureCrypter malware hits govt orgs with ransomware, info-stealers
  2. The Hacker News - PureCrypter Deploys Agent Tesla and New TorNet Backdoor in Ongoing Cyberattacks.
  3. Cyware - PureCrypter Loader Found Infecting Government Entities with Various Malware
  4. ANY.RUN - A Full Analysis of the Pure Malware Family: Unique and Growing Threat