Cybersecurity researchers have detailed the workings of a fully-featured malware loader dubbed PureCrypter that’s being purchased by cyber criminals to deliver remote access trojans (RATs) and information stealers.
“The loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption, and obfuscation to evade antivirus software products,” Zscaler’s Romain Dumont said in a new report.
Some of the malware families distributed using PureCrypter include Agent Tesla, Arkei, AsyncRAT, AZORult, DarkCrystal RAT (DCRat), LokiBot, NanoCore, RedLine Stealer, Remcos, Snake Keylogger, and Warzone RAT.
Sold for a price of $59 by its developer named “PureCoder” for a one-month plan (and $249 for a one-off lifetime purchase) since at least March 2021, PureCrypter is advertised as the “only crypter in the market that uses offline and online delivery technique.”
Crypters act as the first layer of defense against reverse engineering and are typically used to pack the malicious payload. PureCrypter also features what it says is an advanced mechanism to inject the embedded malware into native processes and a variety of configurable options to achieve persistence on startup and turn on additional options to fly under the radar.
Also offered is a Microsoft Office macro builder and a downloader, highlighting the potential initial infection routes that can be employed to propagate the malware.
Interestingly, while PureCoder makes it a point to note that the “software was created for educational purposes only,” its terms of service (ToS) forbids buyers from uploading the tool to malware scanning databases such as VirusTotal, Jotti, and MetaDefender.
“You are not allowed to scan the crypted file, as the crypter itself has a built-in scanner,” the ToS further states.
In one sample analyzed by Zscaler, a disk image file (.IMG) was found to contain a first-stage downloader that, in turn, retrieves and runs a second-stage module from a remote server, which subsequently injects the final malware payload inside other processes like MSBuild.
PureCryter also offers a number of notable features that allows it to remove itself from the compromised machine and report the infection status to the author via Discord and Telegram.