Pure Malware Tools Pose As Legitimate Software to Bypass AV Detections

An extensive examination of the growing danger posed by the Pure malware family has been released, providing the industry with more insightful information about PureCrypter, PureLogs, and PureMiner.

ANY. RUN has disclosed that Pure tools are disguised as legitimate software designed for “educational purposes.” However, a close examination of the code reveals that it is a powerful malicious tool.

ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use ANY.RUN platform to investigate incidents and streamline threat analysis.  If you’re a security researcher or an analyst, you can request 14 days of free access to the ANY.RUN Enterprise plan.    

Specific information on the Pure Malware Family

PureCoder products were first distributed in March 2021, as per the information given by the developer’s old website. There’s a message on Pure’s current website saying that the software is used for penetration testing and educational reasons on the home page.

Website lies about educational and pentesting nature of the software

It’s important to note, though, that there seems to be a pattern where the code that is sold is being used for malicious purposes.

Document
Analyse Shopisticated Malware with ANY.RUN

Try ANY.RUN Yourself with a 14-day Free Trial

More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..

The Telegram bot sales have been noted in Pure updates since March 2023. Telegram bots automate and anonymize the malware purchase process. The use of bots indicates that the author is growing, expanding, and refining the service.

Products the group distributes under the guise of “educational purposes”

These products are given to educate users; however, it appears strange that they include hidden HVNC, botnets, and silent miners. Pure’s online comments and evaluations indicate a strong level of demand, with at least a few transactions made each month.

Users must make cryptocurrency payments In Bitcoin. More than one Bitcoin wallet is available on the payment page. These wallets are probably a component of a Bitcoin mixer.

Recently, in Q4, ANY.RUN discovered the use of T1036.005 in over 98,500 malicious samples. You can see what the top malware families, Types, Tactics, Techniques, and Procedures (TTPs) used by attackers in 2023 can tell us about what to expect in 2024.

Pure Malware Tools Masquerading As Legitimate Software

  • PureCrypter

PureCrypter is a crypter (or obfuscator) with encryption and data obfuscation algorithms. Combined, they prevent antivirus software from detecting malware, making analysis more challenging for researchers.

Behavior flow of PureCrypter

There are two payload stages on the loader: staged and stage-less. Costura and Protobuf-net libraries are among the decrypted resources. 

Data is deserialized and combined with the compressed malware to generate a configuration using Protobuf-net. When the malware has finished decompressing, it is finally launched in a new process with configuration parameters.

We can see that the entrance points of PureCrypter, both staged and stage-less, are the same. Hence, they are nearly identical.

PureCrypter can deliver two different kinds of payloads: 3rd party malware or its own proprietary product, PureLogs.

Like the stage-less process, third-party malware starts by decrypting and loading the.NET Assembly resource. This also occurs with AES (Rijndael) encryption in the same way.

  • PureLogs Loader

The NET Reactor protector usually uses a loader to spread the PureLogs malware. A small library called PureLogs is engaged in data theft. The loader typically loads the library from a C2 server.

PureLogs Loader

An encrypted message is transmitted and an encrypted response is received in the initial connection, according to an analysis of the loading traffic. All of this takes place inside the loader.

The response includes an extra serialization layer and is re-encrypted via byte reversal, but the two messages in the initial connection are encrypted similarly. The program forwards this message to the server after encrypting it. Four bytes indicating the message’s size come first, then the message itself.

  • PureLogs

A multifunctional stealer is PureLogs. Obfuscation and obfuscation techniques complicate PureLogs’ analysis, just like they do PureCrypter’s. This is sometimes confused with ZGRat, which is commonly found in the samples of the Pure family.

The library gathers information from the system by looping through many functions, such as browser data including extensions, data about crypto wallets, complete information about the user and full information about the PC configuration.

  • PureMiner

Experts discovered distinct samples with PureCrypter and PureLogs-like signatures. These signatures had the same traffic patterns, a structure similar to PureCrypter and PureLogs, same code behavior (proto-buf module), and 3DES encryption (key encrypted using MD5Crypto).

PureMiner

PureMiner gathers information on the system and sends it to C2. Following that, it gets a response along with mining guidelines.

Final Words

The code analysis clearly shows that it is a potent malicious tool. Its developers have just started spreading it using a Telegram bot, suggesting that they are expanding their business.

It is very likely that shortly, its popularity will begin to rise.

Perform in-depth malware analysis in ANY.RUN. Try all features for 14 days for free.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …

18 hours ago

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…

18 hours ago

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…

19 hours ago

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought…

20 hours ago

Careto – A legendary Threat Group Targets Windows By Deploy Microphone Recorder And Steal Files

Recent research has linked a series of cyberattacks to The Mask group, as one notable…

20 hours ago

RiseLoader Attack Windows By Employed A VMProtect To Drop Multiple Malware Families

RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol…

20 hours ago