Pure Malware Tools Masquerade As Legitimate Software to Bypass Detections


An extensive examination of the growing danger posed by the Pure malware family has been released, providing the industry with more insightful information about PureCrypter, PureLogs, and PureMiner.

ANY. RUN has disclosed that Pure tools are disguised as legitimate software designed for “educational purposes.” However, a close examination of the code reveals that it is a powerful malicious tool.

ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use ANY.RUN platform to investigate incidents and streamline threat analysis.  If you’re a security researcher or an analyst, you can request 14 days of free access to the ANY.RUN Enterprise plan.    

Specific information on the Pure Malware Family

PureCoder products were first distributed in March 2021, as per the information given by the developer’s old website. There’s a message on Pure’s current website saying that the software is used for penetration testing and educational reasons on the home page.

Website lies about educational and pentesting nature of the software
Website lies about educational and pentesting nature of the software

It’s important to note, though, that there seems to be a pattern where the code that is sold is being used for malicious purposes.

Document

Analyse Shopisticated Malware with ANY.RUN

More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..

The Telegram bot sales have been noted in Pure updates since March 2023. Telegram bots automate and anonymize the malware purchase process. The use of bots indicates that the author is growing, expanding, and refining the service.

Products the group distributes under the guise of “educational purposes”
Products the group distributes under the guise of “educational purposes”

These products are given to educate users; however, it appears strange that they include hidden HVNC, botnets, and silent miners. Pure’s online comments and evaluations indicate a strong level of demand, with at least a few transactions made each month.

Users must make cryptocurrency payments In Bitcoin. More than one Bitcoin wallet is available on the payment page. These wallets are probably a component of a Bitcoin mixer.

Recently, in Q4, ANY.RUN discovered the use of T1036.005 in over 98,500 malicious samples. You can see what the top malware families, Types, Tactics, Techniques, and Procedures (TTPs) used by attackers in 2023 can tell us about what to expect in 2024.

PureCrypter is a crypter (or obfuscator) with encryption and data obfuscation algorithms. Combined, they prevent antivirus software from detecting malware, making analysis more challenging for researchers.

Behavior flow of PureCrypter
Behavior flow of PureCrypter

There are two payload stages on the loader: staged and stage-less. Costura and Protobuf-net libraries are among the decrypted resources. 

Data is deserialized and combined with the compressed malware to generate a configuration using Protobuf-net. When the malware has finished decompressing, it is finally launched in a new process with configuration parameters.

We can see that the entrance points of PureCrypter, both staged and stage-less, are the same. Hence, they are nearly identical.

PureCrypter can deliver two different kinds of payloads: 3rd party malware or its own proprietary product, PureLogs.

Like the stage-less process, third-party malware starts by decrypting and loading the.NET Assembly resource. This also occurs with AES (Rijndael) encryption in the same way.

The NET Reactor protector usually uses a loader to spread the PureLogs malware. A small library called PureLogs is engaged in data theft. The loader typically loads the library from a C2 server.

PureLogs Loader
PureLogs Loader

An encrypted message is transmitted and an encrypted response is received in the initial connection, according to an analysis of the loading traffic. All of this takes place inside the loader.

The response includes an extra serialization layer and is re-encrypted via byte reversal, but the two messages in the initial connection are encrypted similarly. The program forwards this message to the server after encrypting it. Four bytes indicating the message’s size come first, then the message itself.

A multifunctional stealer is PureLogs. Obfuscation and obfuscation techniques complicate PureLogs’ analysis, just like they do PureCrypter’s. This is sometimes confused with ZGRat, which is commonly found in the samples of the Pure family.

The library gathers information from the system by looping through many functions, such as browser data including extensions, data about crypto wallets, complete information about the user and full information about the PC configuration.

Experts discovered distinct samples with PureCrypter and PureLogs-like signatures. These signatures had the same traffic patterns, a structure similar to PureCrypter and PureLogs, same code behavior (proto-buf module), and 3DES encryption (key encrypted using MD5Crypto).

PureMiner
PureMiner

PureMiner gathers information on the system and sends it to C2. Following that, it gets a response along with mining guidelines.

Final Words

The code analysis clearly shows that it is a potent malicious tool. Its developers have just started spreading it using a Telegram bot, suggesting that they are expanding their business.

It is very likely that shortly, its popularity will begin to rise.

Perform in-depth malware analysis in ANY.RUN. Try all features for 14 days for free.



Source link