The specialists of the information security company Zscaler published
details about the full-featured PureCrypter malware loader used by cybercriminals to deliver Remote access Trojans (RAT) and information dealers to the attacked systems.
The loader is an executable file on .NET, obfuscated using SmartAssembly to bypass detection by antivirus solutions.
Cybercriminals use PureCrypter to download Agent Tesla, Arkei, AsyncRAT, AZORult, DarkCrystal RAT (DCRat), LokiBot, NanoCore, Redline Stealer, Remcos, Snake Keylogger and Warzone RAT.
The malware, the creator of which is a certain PureCoder, can be rented on hacker forums at a price of $ 59 per month. In addition, it can be purchased in full for $249. Since March 2021, PureCrypter has been advertised by the creator as “the only cryptor on the market using both offline and online delivery techniques.”
Cryptors function as the first layer of protection against reverse engineering and are usually used to package malware. PureCrypter is also equipped with a mechanism for embedding embedded malware into native processes, as well as various configuration options to ensure consistency on the attacked system and bypass detection.
The author of the malware was not too lazy to note that PureCrypter was “created exclusively for educational purposes,” but its user agreement prohibits buyers from downloading the tool to VirusTotal, Jotti and MetaDefender.
After analyzing one of the PureCrypter samples, Zscaler specialists found that the disk image file (.IMG) contained the loader of the first stage, which in turn extracted from a remote server and launched the module of the second stage, which introduced the final payload into processes like MSBuild.
PureCryter is also equipped with a self-removal function from a hacked machine and an infection status notification function via Discord and Telegram.