I ended an article a couple of months ago with:
> I may analyze the final payload in a future post.
And finally the day has come.
Spoiler: it was not the final payload.
Dissecting PureCrypter: A Technical Malware Analysis
https://0xlibris.net/posts/infection_chain_infostealer_2
#PureCrypter #malware #infosec #reversing #cybersecurity #infostealer #malwareanalysis
Good day everyone!
Cisco Talos brings us a HOT report on a new backdoor they observed in a widespread campaign that they dubbed #TorNet, owing to the fact that the actor connects the victim's machine to the TOR network for stealthy command and control (C2) communications and detection evasion.
Attack Summary:
The attack starts with a phishing email with a malicious attachment, which leads to a .NET loader executing and downloads the #PureCrypter malware, which is responsible for dropping and running the TorNet backdoor. After a successful connection to the C2 server it connects the victim's machine to the TOR network which enables it to receive and run arbitrary .NET assemblies in memory.
Behavior Summary:
Initial Access:
Phishing Email with Attachment - in this case, a .tgz (compressed file)
Defense Evasion
Released and renewed the ip address of the compromised machine - "cmd /c ipconfig /release" and "cmd /c ipconfig /renew"
Modifcaiton of the machine - "Add-MpPreference -ExclsuionPath" and "Add-MpPreference -ExclusionProcess"
Discovery:
WMI Activity - "Select * from Win32_BIOS" and "Select * from Win32_ComputerSystem"
Persistence:
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Dropped a VB script in the windows Startup folder
These are just some of the behaviors, for the rest, go and enjoy the read! Happy Hunting!
New TorNet backdoor seen in widespread campaign
https://blog.talosintelligence.com/new-tornet-backdoor-campaign/
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
Campagne #Malware #Italy Week 24
☠️💣🔥👻
#AgentTesla: Preventivo
#Formbook: Bonifico
#StrRat: Spedizione
#Lumma - #Stealc: Setup
#Adwind: Documenti
#PureCrypter: Hotel
📢 Watch out for PureCrypter malware targeting government entities through #Discord by delivering a wide range of other nasty #malware.
Details: https://www.hackread.com/purecrypter-malware-discord/
An unknown threat actor is targeting government organizations with the PureCrypter downloader, Menlo Security firm reported. Menlo Labs researchers uncovered an unknown threat actor is using the PureCrypter downloader in attacks aimed at government entities. The campaign relies on the domain of a compromised non-profit organization as a C2 server to deliver a second-stage payload. […]
I'M BAAAACK!
Og det er #CYBER2GO også!
Dagens 3 nyheder:
* #Microsoft integrerer #Edge #Secure #Network
* #NewsCorp udsat for #cyberangreb 2020-2022
* #PureCrypter - global indflydelse
Lyt med hvor du finder dine #podcasts eller på https://cyber2go.buzzsprout.com!
--
tags:
#cyber2go #cybersikkerhed #cybersec #cybersecurity #IT #teknik #fælleshjerne #dkmastodon
𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲
0xlibris
Just Another Blue Teamer
D3Lab
Bob Carver
Andrea Fortuna 
Hackread.com
securityaffairs
Omar Hawwash 
