PureCrypter is a new malware loader currently being developed by a threat actor known as PureCoder. The loader is fully-featured and has been sold in underground markets since at least March 2021, according to a new report by Zscaler researchers.
PureCrypter Loader: an Overview
PureCrypter is a .NET executable obfuscated with SmartAssembly. It uses compression, encryption and obfuscation to bypass detection by anti-virus programs. The loader is offered for sale for as little as $59. The malware builder comes with the following options:
- Fake messages such as fake error message displayed to victims;
- Binder, or an additional file to be written to disk;
- Injection types, or various methods to load the final stage;
- Persistence at system startup;
- Optional features, mostly consisting of defense mechanisms;
- Additional tools, such as Office macro builder and Downloader, most likely for the initial infection.
The malware loader has been used to deliver the following malware families, according to ThreatLabz researchers:
- AgentTesla;
- Arkei;
- AsyncRAT;
- Azorult;
- DcRAT;
- LokiBotStealer;
- Nanocore;
- RedLineStealer;
- Remcos;
- SnakeKeylogger;
- WarzoneRAT.
The Zscaler team analyzed a particular sample of PureCrypt that contained a fake .bat file as a first-stage component. However, the file is in fact a simple .NET downloader that executes the second-stage payload in memory. The first-stage downloader is most likely a part of the PureCrypter package, with the second-stage being the main payload. The latter decrypts various resources and parses an internal configuration file that sets the malware’s settings.
Once these steps are complete, the malware injects the final payload inside another process. In the examined sample, PureCrypter injected a SnakeKeylogger sample inside the MSBuild.exe process.
It is noteworthy that the second-stage PureCrypter sample contained 2 resources: the SnakeKeylogger variant with bytes reversed and gzip-compressed, and a resource-only .NET library that contains the following two compressed (raw inflate) libraries:
- Costura library to embed references as resources;
- Protobuf library for object deserialization.
The usage of Google’s protobuf format makes the malware more adaptable, whereas the use of reversed, compressed and encrypted payloads make it more challenging for antivirus engines, the researchers concluded.
Other recently developed malware loaders include SVCReady, XLoader, ChromeLoader.