Technical Analysis of PureCrypter: A Fully-Functional Loader Distributing Remote Access Trojans and Information Stealers

 

Key points

• PureCrypter is a fully-featured loader being sold since at least March 2021
• The malware has been observed distributing a variety of remote access trojans and information stealers
• The loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software products
• PureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google’s Protocol Buffer message format  

Summary

PureCrypter is actively being developed by a threat actor using the moniker “PureCoder”. The malware has been sold and advertised since at least March 2021 according to the author’s website https://purecoder.sellix.io/. At the time of publication, PureCrypter is for sale with a cost of $59. Figure 1 shows PureCrypter’s website with a malware builder that provides a number of options including the following:

• Fake messages (e.g. fake error message to show to the user)
• Binder (additional file to be written to disk)
• Injection types (method to load the final stage)
• Persistence (startup)
• Optional features (mainly defense mechanisms)

Figure 1. Example screenshot of the PureCrypter website

 

At the top of the builder, a tab bar indicates the presence of additional tools (e.g., Office macro builder and Downloader). These tools are  likely used for the initial infection vector.

PureCrypter has been growing in popularity with a number of information stealers and remote access trojans (RATs) being deployed by it. ThreatLabz has observed PureCrypter being used to distribute the following malware families:

• AgentTesla
• Arkei
• AsyncRAT
• Azorult
• DcRAT
• LokiBotStealer
• Nanocore
• RedLineStealer
• Remcos
• SnakeKeylogger
• WarzoneRAT

 

Overview of an infection process

The sample with the SHA256 hash 4a88f9feaed04917f369fe5089f5c09f791bf1214673f6313196188e98093d74 was analyzed for this blog. This sample is an image (.img) file containing a fake .bat file named 63342221.BAT. However, this first-stage is in fact a simple .NET downloader that will execute a second-stage payload in memory. This first-stage downloader is likely part of the PureCrypter package. The downloaded second-stage  is the main PureCrypter payload, which will decrypt various resources and parse an internal configuration file that determines the malware’s settings.Finally, PureCrypter will inject the final malware payload inside another process. In this sample, PureCrypter injects a SnakeKeylogger sample inside the process MSBuild.exe. The process for each of these PureCrypter stages is described in detail below.

 

First-stage Downloader

PureCrypter’s first-stage is a simple downloader. In this example, the downloader was disguised as a fake date console application. The main function for this application is shown below in Figure 2.

Figure 2. PureCrypter downloader main function

The application secretly downloads a .NET assembly from a command and control server in order to bypass security products. The bytes of the assembly are completely reversed and this same  technique is used across PureCrypter’s different stages. The second-stage filename typically has a fake extension such as “jpg”, “png” or “log” and/or a legitimate-looking filename (e.g., “EpicGames.jpg”). The sample analyzed by ThreatLabz downloaded the second-stage from http://gbtak[.]ir/wp-content/Ygjklu.log (the SHA256 was 7bd6a945f1de0e390d2669c027549b49107bf116f8b064bf86b5e897794f46f9 after the bytes were reversed) as shown in Figure 3.

 

Figure 3. PureCrypter downloader code to retrieve the second-stage payload

The first-stage then loads the assembly, retrieves the hardcoded name of a method to call and invokes it.

 

Second-stage Injector

The second-stage payload is a more sophisticated piece of code and the core component of PureCrypter. On top of that, the .NET assembly is obfuscated with the commercial tool SmartAssembly. 

 

Resources and Assemblies Obfuscation

As part of the SmartAssembly’s obfuscation, the module entrypoint first adds an assembly and a resource resolver. An extra assembly resolver is added to handle compressed and/or encrypted data. Basically, when an assembly is referenced the resolver will capture that event and try to load the assembly from its resources. The requested assembly name is checked against a list of hardcoded assembly tokens or names (Figure 4).

Figure 4. PureCrypter’s obfuscation assembly resolver callback

There are also some additional headers present including a hardcoded array shown in Figure 5. 

Figure 5. Hardcoded array of assembly information

 

The array includes flags that determine how the second-stage payload is stored and whether it should be written to disk. These flags have the following meaning:
 

In the case of the “z” flag, PureCrypter checks if the resource string contains the header “{z}” as described here. The following byte describes how the data is stored as shown below: 
 

The sample analyzed by ThreatLabz had the AES key 2F820378FEEFBD90987D05D28F0FF0FE and initialization vector (IV) 742CA81F5AC2028E04861092F9F72ECB.

This second-stage PureCrypter sample analyzed by ThreatLabz contained 2 resources: a SnakeKeylogger variant (the bytes were reversed and gzip compressed) and a resource-only .NET library that contains the following two compressed (raw inflate) libraries:

• Costura library to embed references as resources
• Protobuf library for object deserialization

In this case, SmartAssembly uses two levels of resource resolvers.

 

PureCrypter Features

The main function of the PureCrypter injector starts by reversing, decompressing (gunzip) and deserializing an object into the following protocol buffer (protobuf) structure in Figure 6. 

 

Figure 6. PureCrypter protobuf structure

 

The protobuf structure is largely self-explanatory with respect to the capabilities of the PureCrypter injector. Table 1 shows a summary of the most relevant fields.
 

Table 1. PureCrypter main features

Some options provided in the protobuf structure such as Payload and IsMelt are unreferenced.

 

New PureCrypter Features

The serialized protobuf object has been updated in more recent samples and contains a few more options as described in Table 2.

 

Table 2. New PureCrypter features

 

Discord Webhook and Telegram

The author of PureCrypter provided an option to send an infection status message on a Discord channel. Using the the DiscordWebHookUrl parameter, the malware can send the following dictionary in Table 3 via the WebClient:UploadValues method over TLS 1.2.
 

        Table 3. PureCrypter UploadValues parameters used by the Discord webhook

 

New variants of the malware can send a similar message to the author via Telegram. The URL is constructed as follows:

https://api.telegram.org/bot + protobuf_configuration.TelegramToken + /sendMessage?chat_id= + protobuf_configuration.TelegramID.

The message is sent via WebClient:DownloadString over TLS 1.2.

 

Persistence

Given the StartupSettings members, the PureCrypter injector can achieve persistence using different methods as shown in Table 4. Firstly, it takes the Location member as a parameter to the Environment.GetFolderPath method. In this case, it retrieves the %APPDATA% folder and appends the value of the FileName member to it. The EnumStartup field indicates how to install the malware on the system (for the sake of simplicity, FILENAME is used as a place-holder for the malware installation path).

 

Table 4. PureCrypter registry persistence

 

Table 5 shows examples of different fake file names and directories used by PureCrypter.
 

Table 5. Interesting file names used by PureCrypter for persistence

 

Injection Methods

The PureCrypter developer provides three different ways to run the associated malware, which is given by the EnumInjection member. However, all of them retrieve the embedded malicious payload by decompressing and reversing one of the resources mentioned earlier.

Process Hollowing

The process hollowing technique is pretty classic and comes in 32 and 64-bit flavors (shown in Figure 7). PureCrypter starts by creating a suspended process via CreateProcessA(). The command-line argument is built by concatenating the result of GetRuntimeDirectory(), the InjectionPath and an “.exe” extension. If the CommandLine struct member is set, then it is also concatenated. The remote process memory is unmapped via ZwUnmapViewOfSection() and the associated malware is written to the process memory and executed.

Figure 7. Code snippet of the PureCrypter process hollowing technique

What’s interesting about that technique is the choice of the author to put some junk code in the middle of it (as shown in Figure 8). The code was likely inserted to avoid being detected by a behavioral analysis engine. Here, the Internet Explorer main window is retrieved along with its coordinates, but that information is never subsequently used.

Figure 8. Junk code added by PureCrypter

 

Shellcode

The injector can also run the embedded resource inside its own process by creating a shellcode (Figure 9).

Figure 9. PureCrypter CreateShellcode function

 

Figure 10 shows the disassembly of the shellcode.

Figure 10. Disassembled x86-64 PureCrypter shellcode

Assembly Loading

The last way the PureCrypter injector can run its payload is by loading the resource as an assembly and invoking its entrypoint (as shown in Figure 11).

Figure 11. PureCrypter Assembly loading

 

Extra Anti-* functionalities

Some methods that don’t seem to be referenced, but still are quite interesting in terms of environment detection are the following: 

• Queries the WMI object Win32_BIOS for the computer’s SerialNumber and Version and checks if it matches the regular expression “VMware|VIRTUAL|A M I|Xen”
• Queries the WMI object Win32_ComputerSystem for the computer’s Manufacturer and Model and checks if it matches the regular expression “Microsoft|VMWare|Virtual”
• Calls CheckRemoteDebuggerPresent
• Checks for the presence of “SbieDLL.dll” module
• Checks specific resolutions of the display monitor

 

Injected code

The sample analyzed delivers a SnakeKeylogger variant. This malware family is just one of many payloads observed by ThreatLabz that is injected via a process hollowing technique. This family is already well-documented and its configuration can easily be extracted. Figure 12 shows the extracted SnakeKeylogger configuration from this sample.

Figure 12. SnakeKeylogger extracted configuration for a sample dropped by PureCrypter

 

Conclusion

PureCrypter is a fully-functional loader that works as advertised. The usage of Google’s protobuf format makes it more malleable and the use of reversed, compressed and encrypted payloads can make it more difficult for static antivirus engines to detect. ThreatLabz research shows that many different customers are making use of this loader to deliver RATs and information stealers. 

 

Cloud Sandbox Detection

Zscaler's multilayered cloud security platform detects indicators at various levels, as shown below:

• Win32.Downloader.PureCrypter

 

Indicators of Compromise

 

 

Additional PureCrypter hashes