Italians Users Targeted by PureLogs Stealer Through Spam Campaigns
Executive Summary
During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) came across a tweet about PureLogs information stealer by TG Soft. This tool is used by the Threat Actor (TA) “Alibaba2044” to launch a malicious spam campaign at targets based in Italy on the 14th of December 2022.
The spam email includes a link to download a password-protected zip file; the password is provided in the same email. The zip file contains a cabinet file disguised as a batch file, which holds a malicious executable. Once the target opens the batch file, the malware will start running on their machine.
PureLogs stealer is developed by TA with the name PureCoder. The threat actor offers sales for multiple malicious software programs on their website for various operations, such as miners, information stealers, VNC, and crypters. The figure below shows the post by the Purecoder TA.
The TAs developing this malware have also posted the tool information in the cybercrime forums to attract potential customers. The figure below shows the TA’s post on a cybercrime forum.
PureLogs and PureCrypt are the most impactful malwares created by PureCoder. Multiple other TAs are using these malwares in their campaigns. Below, we have shared information regarding multiple malicious programs.
PureLogs
PureLogs is a malicious .NET program that developers sell at $99 for a one-year subscription. It is specifically designed to steal browser data, crypto wallets, and various applications such as FTP Clients, email clients, and VPNs installed on a system. The following table shows the data targeted by PureLogs.
| Browsers | Crypto Wallets | Crypto Wallets |
| Passwords | Armory | FileZilla |
| Cookies | Atomic | WinSCP |
| History | BitcoinCore | Outlook |
| Autofill | DashCore | Thunderbird |
| Extensions* | Electrum | DiscordToken |
| Ethereum | Telegram | |
| Exodus | Pidgin | |
| Jaxx | InternetDM | |
| LitecoinCore | Steam | |
| Monero | OpenVPN | |
| Zcash | ProtonVPN | |
*Extensions: TronLink, MetaMask, Binance Chain Wallet, Yoroi, Coinbase Wallet, Jaxx Liberty, BitApp Wallet, iWallet, Terra Station, BitClip, EQUAL Wallet, Wombat, Cyano Wallet, Nifty Wallet, Math Wallet, Guarda, Coin98 Wallet, TezBox, Trezor Password Manager, EOS Authenticator, Authy, GAuth Authenticator, Authenticator.
The figure below illustrates the post related to PureLogs Stealer.
PureCrypter
PureCrypter malware has been observed distributing multiple RATs and information stealers. It is a .NET-based executable, obfuscated with SmartAssembly, that is further protected with compression, encryption, and obfuscation to make it difficult to detect.
The malware is sold for $59 for a one-month subscription. Zscaler has provided a deeper technical analysis of the PureCrypter in a blog. The figure below shows TA’s post.
PureMiner
This is a hidden stealth silent miner; an attacker can use it for bots or spread it, and it will automatically mine ETHW or BTC to TAs wallet. TAs are currently providing PureMiner for $99. The following are the features provided by PureMiner:
- ETHW, ETC, XMR, ERGO, BTC, RVN, KASPA, FLUX MINING
- PROXY ETHW AND ETC MINING
- DETECTS IF THE USER IS IDLE OR PLAYING GAMES
- DOWNLOAD AND EXECUTE A FILE OR UPDATE
- RUNS ON RAM, NO DROPPING FILES
- BOT KILLER
- STARTUP
- CRYPTABLE WITH PURE CRYPTER
- HIGH-QUALITY STUB 64bit CODED IN .NET 4.0
The figure below shows the post by the TA.
BlueLoader
According to the developers, the BlueLoader botnet can manage a sizable quantity of bots, start up again automatically, launch DDoS attacks, and also possess a bot-eliminating capability. BlueLoader is sold for $99 by TAs. The figure below shows the post by TAs.
PureHVNC
Pure HVNC is a hidden stealth VNC used to control systems covertly. TAs are selling one-year subscriptions for $99. The features TAs as posted on the blog are:
- HVNC Support
- CHROME
- EDGE
- BRAVE
- FIREFOX
- OUTLOOK
- FOXMAIL
- CMD
- POWERSHELL
- CLIPBOARD COPY PASTE
- CHANGE DPI
- Run Program
- TASK MANAGER
- FILE MANAGER
- DOWNLOAD AND EXECUTE A FILE OR UPDATE STUB
- RUNS ON RAM, NO DROPPING FILES
- STARTUP
- CRYPTABLE WITH PURE CRYPTER
- HIGH-QUALITY STUB CODED IN .NET 4.0
The figure below shows the TA’s post.
Pure Logs Technical Analysis
The TA “Alibaba2044”’s malware campaign begins by sending out a malicious spam email linked to a zip file called DOC9848-14-12-2022.zip. This zip is password-protected to conceal its content and avoid detection.
Additionally, the zip file includes a Windows cabinet file that has been disguised as a bat file DOC9848_pdf.bat. When the user clicks on this cab file, it will drop .NET-executable x.exe with sha256 a843517b019e86af42252b568e06dfe91a22f9034ceb996f5b0df32dcc1e4274 in the temp folder and execute it.
The figure below shows the malicious executable in the temp folder.
The figure below shows the details of the malicious file x.exe.
The executable file contains a malicious custom encrypted payload in the form of an array. The data is encrypted using custom encryption.
The following figure shows the encrypted payload in the memory.
The malware decrypts the encrypted payload and stores it in memory at runtime.
The figure below shows the decrypted payload in the memory.
The decrypted payload is a PureLogs DLL file with the name “Ixqwqtt.dll” and sha256 db61b7e783969a2050c9e18b667c2a7d418d757a0c986183b8ef2f6e6eccaa48.
This malicious file is injected into running malware using Assembly.Load() method. The figure below shows the injection of malicious payload in the malware.
Conclusion
We have seen before that malware developers, with a lack of responsibility, can create malicious programs and sell them to different forums for monetary gain.
To attract more customers, they provide powerful and dangerous features like information stealers, cryptocurrency miners, and HVNC to TAs. It is all for their own financial benefit. We will stay vigilant and monitor the latest threats and trends on the surface, deep and dark web, keeping our readers updated.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Malware Attacks
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
Users Should Take the Following Steps After the Malware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impact And Cruciality of Malware
- Loss of valuable data.
- Loss of the organization’s reputation and integrity.
- Loss of the organization’s sensitive business information.
- Disruption in organization operation.
- Monetary loss.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 | User Execution |
| Defense Evasion | T1140 T1562 | Deobfuscate/Decode Files or Information Impair Defences |
| Discovery | T1082 T1083 | System Information Discovery File and Directory Discovery |
| Collection | T1119 T1005 | Automated Collection Data from the Local System |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1020 | Automated Exfiltration |
Indicators of Compromise (IoCs)
| Indicators | Indicator Type | Description |
| 5e5276abac4f39ed674c8783d12212dc c055b968ae48bd35342a4aebfe6195e67529d84e c59559275fb8af4bbc59d47c267a94fbe44151e40a8606414d1b1f76a99852b1 | MD5 SHA1 SHA256 | DOC9848-14-12-2022 .zip |
| 743ea515bb5bab8929c6d280a3d0feaa 58326656b86f43fdaa65b5493da1cb13e7cf6a2d 887cabc0d136a86a6be444883b62c90d073fd1f839896840233150475bd149c8 | MD5 SHA1 SHA256 | DOC9848_pdf.bat |
| 460834754a0e145320380e54400b9509 992c119799b3b3899263605930bf9fc2b656afe8 a843517b019e86af42252b568e06dfe91a22f9034ceb996f5b0df32dcc1e4274 | MD5 SHA1 SHA256 | x.exe |
| 86a9edac11733b9985d977b330389593 79c0f5242a3a95beeddd2761c092ed166332707c db61b7e783969a2050c9e18b667c2a7d418d757a0c986183b8ef2f6e6eccaa48 | MD5 SHA1 SHA256 | Ixqwqtt.dll |
