An extensive examination of the growing danger posed by the Pure malware family has been released, providing the industry with more insightful information about PureCrypter, PureLogs, and PureMiner.
ANY. RUN has disclosed that Pure tools are disguised as legitimate software designed for “educational purposes.” However, a close examination of the code reveals that it is a powerful malicious tool.
ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use ANY.RUN platform to investigate incidents and streamline threat analysis. If you’re a security researcher or an analyst, you can request 14 days of free access to the ANY.RUN Enterprise plan.
Specific information on the Pure Malware Family
PureCoder products were first distributed in March 2021, as per the information given by the developer’s old website. There’s a message on Pure’s current website saying that the software is used for penetration testing and educational reasons on the home page.
It’s important to note, though, that there seems to be a pattern where the code that is sold is being used for malicious purposes.
Try ANY.RUN Yourself with a 14-day Free Trial
More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..
The Telegram bot sales have been noted in Pure updates since March 2023. Telegram bots automate and anonymize the malware purchase process. The use of bots indicates that the author is growing, expanding, and refining the service.
These products are given to educate users; however, it appears strange that they include hidden HVNC, botnets, and silent miners. Pure’s online comments and evaluations indicate a strong level of demand, with at least a few transactions made each month.
Users must make cryptocurrency payments In Bitcoin. More than one Bitcoin wallet is available on the payment page. These wallets are probably a component of a Bitcoin mixer.
Recently, in Q4, ANY.RUN discovered the use of T1036.005 in over 98,500 malicious samples. You can see what the top malware families, Types, Tactics, Techniques, and Procedures (TTPs) used by attackers in 2023 can tell us about what to expect in 2024.
Pure Malware Tools Masquerading As Legitimate Software
- PureCrypter
PureCrypter is a crypter (or obfuscator) with encryption and data obfuscation algorithms. Combined, they prevent antivirus software from detecting malware, making analysis more challenging for researchers.
There are two payload stages on the loader: staged and stage-less. Costura and Protobuf-net libraries are among the decrypted resources.
Data is deserialized and combined with the compressed malware to generate a configuration using Protobuf-net. When the malware has finished decompressing, it is finally launched in a new process with configuration parameters.
We can see that the entrance points of PureCrypter, both staged and stage-less, are the same. Hence, they are nearly identical.
PureCrypter can deliver two different kinds of payloads: 3rd party malware or its own proprietary product, PureLogs.
Like the stage-less process, third-party malware starts by decrypting and loading the.NET Assembly resource. This also occurs with AES (Rijndael) encryption in the same way.
- PureLogs Loader
The NET Reactor protector usually uses a loader to spread the PureLogs malware. A small library called PureLogs is engaged in data theft. The loader typically loads the library from a C2 server.
An encrypted message is transmitted and an encrypted response is received in the initial connection, according to an analysis of the loading traffic. All of this takes place inside the loader.
The response includes an extra serialization layer and is re-encrypted via byte reversal, but the two messages in the initial connection are encrypted similarly. The program forwards this message to the server after encrypting it. Four bytes indicating the message’s size come first, then the message itself.
- PureLogs
A multifunctional stealer is PureLogs. Obfuscation and obfuscation techniques complicate PureLogs’ analysis, just like they do PureCrypter’s. This is sometimes confused with ZGRat, which is commonly found in the samples of the Pure family.
The library gathers information from the system by looping through many functions, such as browser data including extensions, data about crypto wallets, complete information about the user and full information about the PC configuration.
- PureMiner
Experts discovered distinct samples with PureCrypter and PureLogs-like signatures. These signatures had the same traffic patterns, a structure similar to PureCrypter and PureLogs, same code behavior (proto-buf module), and 3DES encryption (key encrypted using MD5Crypto).
PureMiner gathers information on the system and sends it to C2. Following that, it gets a response along with mining guidelines.
Final Words
The code analysis clearly shows that it is a potent malicious tool. Its developers have just started spreading it using a Telegram bot, suggesting that they are expanding their business.
It is very likely that shortly, its popularity will begin to rise.
Perform in-depth malware analysis in ANY.RUN. Try all features for 14 days for free.