A brand new marketing campaign has been noticed impersonating Ukrainian authorities businesses in phishing assaults to ship CountLoader, which is then used to drop Amatera Stealer and PureMiner.
“The phishing emails comprise malicious Scalable Vector Graphics (SVG) recordsdata designed to trick recipients into opening dangerous attachments,” Fortinet FortiGuard Labs researcher Yurren Wan stated in a report shared with The Hacker Information.
Within the assault chains documented by the cybersecurity firm, the SVG recordsdata are used to provoke the obtain of a password-protected ZIP archive, which incorporates a Compiled HTML Assist (CHM) file. The CHM file, when launched, prompts a series of occasions that culminate within the deployment of CountLoader. The e-mail messages declare to be a discover from the Nationwide Police of Ukraine.
CountLoader, which was the topic of a current evaluation by Silent Push, has been discovered to drop varied payloads like Cobalt Strike, AdaptixC2, and PureHVNC RAT. On this assault chain, nonetheless, it serves as a distribution vector for Amatera Stealer, a variant of ACRStealer, and PureMiner, a stealthy .NET cryptocurrency miner.
It is price declaring that each PureHVNC RAT and PureMiner are a part of a broader malware suite developed by a risk actor generally known as PureCoder. A few of the different merchandise from the identical writer embody –
- PureCrypter, a crypter for Native and .NET
- PureRAT (aka ResolverRAT), a successor to PureHVNC RAT
- PureLogs, an data stealer and logger
- BlueLoader, a malware that may act as a botnet by downloading and executing payloads remotely
- PureClipper, a clipper malware that substitutes cryptocurrency addresses copied into the clipboard with attacker-controlled pockets addresses to redirect transactions and steal funds
Based on Fortinet, Amatera Stealer and PureMiner are each deployed as fileless threats, with the malware “executed by way of .NET Forward-of-Time (AOT) compilation with course of hollowing or loaded immediately into reminiscence utilizing PythonMemoryModule.”
Amatera Stealer, as soon as launched, gathers system data, collects recordsdata matching a predefined checklist of extensions, and harvests knowledge from Chromium- and Gecko-based browsers, in addition to functions like Steam, Telegram, FileZilla, and varied cryptocurrency wallets.
“This phishing marketing campaign demonstrates how a malicious SVG file can act as an HTML substitute to provoke an an infection chain,” Fortinet stated. On this case, attackers focused Ukrainian authorities entities with emails containing SVG attachments. The SVG-embedded HTML code redirected victims to a obtain website.”
The event comes as Huntress uncovered a probable Vietnamese-speaking risk group utilizing phishing emails bearing copyright infringement discover themes to trick recipients into launching ZIP archives that result in the deployment of PXA Stealer, which then evolves right into a multi-layered an infection sequence dropping PureRAT.
“This marketing campaign demonstrates a transparent and deliberate development, beginning with a easy phishing lure and escalating via layers of in-memory loaders, protection evasion, and credential theft,” safety researcher James Northey stated. “The ultimate payload, PureRAT, represents the end result of this effort: a modular, professionally developed backdoor that offers the attacker full management over a compromised host.”
“Their development from amateurish obfuscation of their Python payloads to abusing commodity malware like PureRAT reveals not simply persistence, but additionally hallmarks of a critical and maturing operator.”
