Security News > 2022 > June > Researchers Detail PureCrypter Loader Cyber Criminals Using to Distribute Malware

Cybersecurity researchers have detailed the workings of a fully-featured malware loader dubbed PureCrypter that's being purchased by cyber criminals to deliver remote access trojans and information stealers.

Some of the malware families distributed using PureCrypter include Agent Tesla, Arkei, AsyncRAT, AZORult, DarkCrystal RAT, LokiBot, NanoCore, RedLine Stealer, Remcos, Snake Keylogger, and Warzone RAT. Sold for a price of $59 by its developer named "PureCoder" for a one-month plan since at least March 2021, PureCrypter is advertised as the "Only crypter in the market that uses offline and online delivery technique."

Crypters act as the first layer of defense against reverse engineering and are typically used to pack the malicious payload. PureCrypter also features what it says is an advanced mechanism to inject the embedded malware into native processes and a variety of configurable options to achieve persistence on startup and turn on additional options to fly under the radar.

Also offered is a Microsoft Office macro builder and a downloader, highlighting the potential initial infection routes that can be employed to propagate the malware.

Interestingly, while PureCoder makes it a point to note that the "Software was created for educational purposes only," its terms of service forbids buyers from uploading the tool to malware scanning databases such as VirusTotal, Jotti, and MetaDefender.

In one sample analyzed by Zscaler, a disk image file was found to contain a first-stage downloader that, in turn, retrieves and runs a second-stage module from a remote server, which subsequently injects the final malware payload inside other processes like MSBuild.

News URL

https://thehackernews.com/2022/06/researchers-detail-purecrypter-loader.html