A notorious multi-functional loader called PureCrypter has been updated by its developers for better usage in cyber-attacks. Research stated that this crypter had been sold in the underground market since March last year.
PureCrypter’s operators have updated their loader and added new features to run several malicious activities despite being a vector for distributing remote access trojans (RAT) and information stealers (infostealer).
Cybersecurity experts said that PureCrypter is a malware loaded sold by an individual threat actor named PureCoder. Emerged in March last year, its developers offered the loader for a low price of $60.
The loader is coded in a [.]NET language and obfuscates itself with SmartAssembly. It also uses encryption and compression to bypass the detection of numerous antivirus (AV) software. In addition, the loader enables its users to gain persistence, injection, and defence capabilities that they can configure in Google’s Protocol Buffer message format.
PureCrypter became a bridge for notorious malware.
The PureCrypter loader has been a vector for distributing various malware, such as AsyncRAT, Nanocore, RedLine Stealer, WarzoneRAT, Snake Keylogger, Remcos, LokiBotStealer, Arkei, Azorult, and AgentTesla.
Most of these malware strains are distributed by PureCrypter during the second stage of the infection process executed by a threat actor. The operators have also updated the feature of the PureCrypter loader to target and infect more resources, making it a considerable threat for so many organisations.
One of these updated functions enables the threat actors to use the Telegram platform as a vector to spread malware. However, the most critical improvement for the loader is that it included an extra anti-analysis feature to avoid getting detected by virtual machines from VMware and Microsoft.
PureCrypter is still in its developmental stages but shows that many threat groups can utilise it for sophisticated attacks. The new capabilities also enable its users to target more entities worldwide.
Organisations and cybersecurity researchers should keep an eye on this current threat.
