A brand new marketing campaign has been noticed impersonating Ukrainian authorities businesses in phishing assaults to ship CountLoader, which is then used to drop Amatera Stealer and PureMiner.
“The phishing emails comprise malicious Scalable Vector Graphics (SVG) recordsdata designed to trick recipients into opening dangerous attachments,” Fortinet FortiGuard Labs researcher Yurren Wan mentioned in a report shared with The Hacker Information.
Within the assault chains documented by the cybersecurity firm, the SVG recordsdata are used to provoke the obtain of a password-protected ZIP archive, which incorporates a Compiled HTML Assist (CHM) file. The CHM file, when launched, prompts a sequence of occasions that culminate within the deployment of CountLoader. The e-mail messages declare to be a discover from the Nationwide Police of Ukraine.
CountLoader, which was the topic of a latest evaluation by Silent Push, has been discovered to drop varied payloads like Cobalt Strike, AdaptixC2, and PureHVNC RAT. On this assault chain, nonetheless, it serves as a distribution vector for Amatera Stealer, a variant of ACRStealer, and PureMiner, a stealthy .NET cryptocurrency miner.
It is value stating that each PureHVNC RAT and PureMiner are a part of a broader malware suite developed by a menace actor often known as PureCoder. A number of the different merchandise from the identical creator embrace –
- PureCrypter, a crypter for Native and .NET
- PureRAT (aka ResolverRAT), a successor to PureHVNC RAT
- PureLogs, an info stealer and logger
- BlueLoader, a malware that may act as a botnet by downloading and executing payloads remotely
- PureClipper, a clipper malware that substitutes cryptocurrency addresses copied into the clipboard with attacker-controlled pockets addresses to redirect transactions and steal funds
In keeping with Fortinet, Amatera Stealer and PureMiner are each deployed as fileless threats, with the malware “executed by way of .NET Forward-of-Time (AOT) compilation with course of hollowing or loaded instantly into reminiscence utilizing PythonMemoryModule.”
Amatera Stealer, as soon as launched, gathers system info, collects recordsdata matching a predefined record of extensions, and harvests knowledge from Chromium- and Gecko-based browsers, in addition to purposes like Steam, Telegram, FileZilla, and varied cryptocurrency wallets.
“This phishing marketing campaign demonstrates how a malicious SVG file can act as an HTML substitute to provoke an an infection chain,” Fortinet mentioned. On this case, attackers focused Ukrainian authorities entities with emails containing SVG attachments. The SVG-embedded HTML code redirected victims to a obtain web site.”
The event comes as Huntress uncovered a probable Vietnamese-speaking menace group utilizing phishing emails bearing copyright infringement discover themes to trick recipients into launching ZIP archives that result in the deployment of PXA Stealer, which then evolves right into a multi-layered an infection sequence dropping PureRAT.
“This marketing campaign demonstrates a transparent and deliberate development, beginning with a easy phishing lure and escalating via layers of in-memory loaders, protection evasion, and credential theft,” safety researcher James Northey mentioned. “The ultimate payload, PureRAT, represents the end result of this effort: a modular, professionally developed backdoor that provides the attacker full management over a compromised host.”
“Their development from amateurish obfuscation of their Python payloads to abusing commodity malware like PureRAT exhibits not simply persistence, but additionally hallmarks of a critical and maturing operator.”
