A brand new marketing campaign has been noticed impersonating Ukrainian authorities companies in phishing assaults to ship CountLoader, which is then used to drop Amatera Stealer and PureMiner.
“The phishing emails include malicious Scalable Vector Graphics (SVG) recordsdata designed to trick recipients into opening dangerous attachments,” Fortinet FortiGuard Labs researcher Yurren Wan mentioned in a report shared with The Hacker Information.
Within the assault chains documented by the cybersecurity firm, the SVG recordsdata are used to provoke the obtain of a password-protected ZIP archive, which comprises a Compiled HTML Assist (CHM) file. The CHM file, when launched, prompts a sequence of occasions that culminate within the deployment of CountLoader. The e-mail messages declare to be a discover from the Nationwide Police of Ukraine.
CountLoader, which was the topic of a current evaluation by Silent Push, has been discovered to drop varied payloads like Cobalt Strike, AdaptixC2, and PureHVNC RAT. On this assault chain, nevertheless, it serves as a distribution vector for Amatera Stealer, a variant of ACRStealer, and PureMiner, a stealthy .NET cryptocurrency miner.
It is price declaring that each PureHVNC RAT and PureMiner are a part of a broader malware suite developed by a menace actor generally known as PureCoder. Among the different merchandise from the identical writer embrace –
- PureCrypter, a crypter for Native and .NET
- PureRAT (aka ResolverRAT), a successor to PureHVNC RAT
- PureLogs, an data stealer and logger
- BlueLoader, a malware that may act as a botnet by downloading and executing payloads remotely
- PureClipper, a clipper malware that substitutes cryptocurrency addresses copied into the clipboard with attacker-controlled pockets addresses to redirect transactions and steal funds
In accordance with Fortinet, Amatera Stealer and PureMiner are each deployed as fileless threats, with the malware “executed through .NET Forward-of-Time (AOT) compilation with course of hollowing or loaded immediately into reminiscence utilizing PythonMemoryModule.”
Amatera Stealer, as soon as launched, gathers system data, collects recordsdata matching a predefined record of extensions, and harvests information from Chromium- and Gecko-based browsers, in addition to functions like Steam, Telegram, FileZilla, and varied cryptocurrency wallets.
“This phishing marketing campaign demonstrates how a malicious SVG file can act as an HTML substitute to provoke an an infection chain,” Fortinet mentioned. On this case, attackers focused Ukrainian authorities entities with emails containing SVG attachments. The SVG-embedded HTML code redirected victims to a obtain website.”
The event comes as Huntress uncovered a probable Vietnamese-speaking menace group utilizing phishing emails bearing copyright infringement discover themes to trick recipients into launching ZIP archives that result in the deployment of PXA Stealer, which then evolves right into a multi-layered an infection sequence dropping PureRAT.
“This marketing campaign demonstrates a transparent and deliberate development, beginning with a easy phishing lure and escalating by layers of in-memory loaders, protection evasion, and credential theft,” safety researcher James Northey mentioned. “The ultimate payload, PureRAT, represents the fruits of this effort: a modular, professionally developed backdoor that provides the attacker full management over a compromised host.”
“Their development from amateurish obfuscation of their Python payloads to abusing commodity malware like PureRAT reveals not simply persistence, but additionally hallmarks of a severe and maturing operator.”
