Lmst

I ended an article a couple of months ago with:
> I may analyze the final payload in a future post.

And finally the day has come.
Spoiler: it was not the final payload.

Dissecting PureCrypter: A Technical Malware Analysis
https://0xlibris.net/posts/infection_chain_infostealer_2

#PureCrypter #malware #infosec #reversing #cybersecurity #infostealer #malwareanalysis

dnspy screenshot of the main function of PureCrypter, a .NET-based loader malware. It shows functions like bypass_amsi, setup_persistence, or run_loader among others.

Good day everyone!

Cisco Talos brings us a HOT report on a new backdoor they observed in a widespread campaign that they dubbed #TorNet, owing to the fact that the actor connects the victim's machine to the TOR network for stealthy command and control (C2) communications and detection evasion.

Attack Summary:
The attack starts with a phishing email with a malicious attachment, which leads to a .NET loader executing and downloads the #PureCrypter malware, which is responsible for dropping and running the TorNet backdoor. After a successful connection to the C2 server it connects the victim's machine to the TOR network which enables it to receive and run arbitrary .NET assemblies in memory.

Behavior Summary:
Initial Access:
Phishing Email with Attachment - in this case, a .tgz (compressed file)

Defense Evasion
Released and renewed the ip address of the compromised machine - "cmd /c ipconfig /release" and "cmd /c ipconfig /renew"
Modifcaiton of the machine - "Add-MpPreference -ExclsuionPath" and "Add-MpPreference -ExclusionProcess"

Discovery:
WMI Activity - "Select * from Win32_BIOS" and "Select * from Win32_ComputerSystem"

Persistence:
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Dropped a VB script in the windows Startup folder

These are just some of the behaviors, for the rest, go and enjoy the read! Happy Hunting!

New TorNet backdoor seen in widespread campaign
https://blog.talosintelligence.com/new-tornet-backdoor-campaign/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Campagne #Malware #Italy Week 24

☠️💣🔥👻
#AgentTesla: Preventivo
#Formbook: Bonifico
#StrRat: Spedizione
#Lumma - #Stealc: Setup
#Adwind: Documenti
#PureCrypter: Hotel

#mwitaly

An unknown threat group has been targeting government agencies in Asia Pacific and North America via abuse of the popular Discord network and a hijacked website belonging to a non-profit. The two-stage attacks include enticing victims to install the PureCrypter downloader, which then delivers a variety of possible malware payloads.
https://www.scmagazine.com/news/cybercrime/purecrypter-discord-target-govt #CyberSecurity #PureCrypter #Discord #NorthAmerica #APAC #government #targets

Government entities in Asia-Pacific and North America are being targeted by an unknown threat actor with an off-the-shelf malware downloader known as PureCrypter to deliver an array of information stealers and ransomware.
https://thehackernews.com/2023/02/purecrypter-malware-targets-government.html #CyberSecurity #PureCrypter #malare #APAC #NorthAmerica