Recently, security analysts at ANY.RUN discovered that the Pure malware tools are masquerading as legitimate software to evade detection.
ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use ANY.RUN platform to investigate incidents and streamline threat analysis. If you’re a security researcher or an analyst, you can request 14 days of free access to the Any.RUN Enterprise plan.
The PureCoder products were initially distributed in March 2021, as per the developer’s old website.
While the current Pure site claims that the software is only for education and testing purposes, the observed trend shows that the code is also used for several illicit purposes.
The Pure updates since March 2023 mentioned the Telegram bot sales.
While the bots automate and anonymize malware purchases, The author expands the service, explores new channels, and scales up through bot usage.
Recently, in Q4, ANY.RUN discovered the use of T1036.005 in over 98,500 malicious samples. You can see what the top malware families, Types, Tactics, Techniques, and Procedures (TTPs) used by attackers in 2023 can tell us about what to expect in 2024.
More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..
Here below, we have mentioned all the Pure malware tools masquerading as legitimate software to bypass detections:
- PureCrypter: It’s a crypter that deploys data obfuscation and encryption algorithms. This hides malware from AV tools and makes the analysis difficult for the researchers.
- PureLogs Loader: It is malware that is frequently distributed via a loader with NET Reactor protection and uses a tiny library to steal data. A C2 server is where the loader obtains the library.
- PureLogs: It’s a versatile stealer similar to the PureCrypter, which employs obfuscation techniques for analysis complexity. Occasionally, it’s mistaken for ZGRat, a commonality in the Pure family samples.
- Experts found unique samples with signatures similar to PureCrypter and PureLogs. These signatures included the same traffic patterns, 3DES encryption (key encrypted with MD5Crypto), shared code behavior (proto-buf module), and a structure resembling PureCrypter and PureLogs.
Though the tools claimed for education, they dock silent miners, botnets, and hidden HVNC. Even high demand is evident on Pure’s site with monthly purchases.
Users make crypto payments in Bitcoin, facilitated by various wallets, possibly part of a Bitcoin mixer. Wallet activity detected from May 19-26, 2023, already totals 250 transactions for a huge amount of $32,000 on Blockchain.com.
Fake educational software is a potent malicious tool distributed via a Telegram bot. Since Pure gets a few orders monthly, its popularity might surge rapidly soon.
Perform in-depth malware analysis in ANY.RUN. Try all features for 14 days for free.