A new campaign is being observed impersonating a Ukrainian government agency in phishing attacks Countloaderis used to drop it Amaterasu Stirrer and Pure Miner.
“The phishing email contains malicious scalable vector graphics (SVG) files designed to trick recipients into opening harmful attachments,” Yurren Wan, a researcher at Fortinet Fortiguard Labs, said in a report shared with Hacker News.
The attack chain documented by a cybersecurity company uses SVG files to initiate a password-protected ZIP archive download. This contains the compiled HTML Help (CHM) file. The CHM file activates a chain of events that will culminate in the Countloader expansion at startup. The email message claims it is a notification from the Ukrainian National Police.
Countloader has been found to remove various payloads such as Cobalt Strike, AdaptixC2, and PureHVNC rats, as it was subject to recent analysis by silent push. However, in this attack chain it acts as a distribution vector for AcrStealer variants Amatera Stealer and Stealth .NET Cryptocurrency Miner Pureminer.
It is worth pointing out that both PureHVNC rats and Pureminer are part of the broader suite of malware developed by threat actors known as Purecoder. Some of the other products of the same author:
- Purecrypter, native and .NET crypto
- Purerat (aka Resolverrat), successor to PureHvnc rat
- PureLogs, Information Theft and Loggers
- BlueLoader, malware that can act as a botnet by remotely downloading and running payloads
- Pureclipper redirects transactions, which are clipper malware that replaces cryptocurrency addresses copied to clipboard using wallet addresses controlled by attackers and steals funds
According to Fortinet, both Amatera Stealer and Pureminer have been deployed as fireless threats, with malware deploying “processes can be hollowed out using PythonMemorymodule or via .NET through processes loaded directly into memory.”
Amatera Stealer collects system information when it is launched, files matching a predefined list of extensions, data from Chromium and Gecko-based browsers, and applications such as Steam, Telegram, Filezilla, and various cryptocurrency wallets.
“This phishing campaign shows how malicious SVG files act as HTML alternatives to launch infection strands,” Fortinet said. In this case, the attacker targeted Ukrainian government agencies that contained emails that contained SVG attachments. The HTML code embedded in SVG redirected the victim to a download site. ”
The development evolves into a multi-layer infection sequence drop prat rat, where Huntress discovers a Vietnamese-speaking threat group using phishing emails using a piracy notification theme, tricking the recipient into launching a ZIP archive that leads to the deployment of PXA Steelers.
“The campaign shows a clear and intentional progression that starts with a simple fishing lure and escalates from in-memory loader layers, defense evasion and qualification theft,” said security researcher James Norsey. “The final payload, Purerat, represents the culmination of this effort: a modular, professionally developed backdoor that has full control over the host compromised by an attacker.”
“The progression from amateur obfuscation of Python payloads like Purerat to abuse of product malware like Purerat shows not only persistence, but also the characteristics of serious, mature operators.”
