Pure Malware Family Exposed: An Analysis of PureCrypter, PureLogs, and PureMiner 


The Pure malware family’s origins trace back to March 2021. Initially it was advertised as educational and penetration testing software. However, closer examination shows a different reality.  

Evidence suggests these products are frequently employed in malicious campaigns, raising concerns about their true purpose. 

In their recent blog post, researchers at ANY.RUN shared an in-depth analysis of the most popular representatives of the Pure malware family: PureCrypter, PureLogs, and PureMiner. Here is an overview of what they found.  

PureCrypter Analysis 

The Pure family’s malware deployment typically begins with a loader containing both staged and stage-less payloads. PureCrypter serves as a prime example, utilizing custom encryption algorithms and network communication with high entropy to evade detection. 

Behavior flow of PureCrypter

PureCrypter operates in two variants: 

  • Staged: Loader decrypts resources containing libraries like Protobuf-net and Costura. 
  • Stage-less: Protobuf-net deserializes data, forming a configuration with compressed malware. This compressed malware is then decompressed and executed with parameters from the configuration in a separate process. 

By obfuscating and encrypting malware, PureCrypter aims to make detection and analysis by security measures more challenging. 

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

TI Lookup returned numerous PureCrypter analysis sessions

Searching for threat information on PureCrypter on Threat Intelligence Lookup revealed hundreds of samples analyzed in the ANY.RUN sandbox. 

Button: Speed up threat investigations with TI Lookup by discovering context info related to specific IOCs, TTPs, and artifacts found in command lines, registries, and processes. 

 Try Threat Intelligence Lookup 

Staged Loader 

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

Payload download

Submitting this sample for analysis in ANY.RUN unveiled that it was written in .NET. After execution, the sample downloaded an .mp4 file, which turned out to be a payload with a 3-byte XOR encryption. 

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

Source code

Using a custom CyberChef recipe, the file was decrypted, revealing an executable or library beneath the deceptive exterior. 

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

XOR with the key ”335” in Cyberchef

Stage-less Loader  

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

Information from DIE

Unlike the staged loader, the stage-less counterpart employs SmartAssembly for protection. 

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

Resource on board

The payload itself resides within a resource, encrypted for added security. 

This execution involves two steps: 

1) AES decryption: The resource is decrypted using AES with embedded keys. 

2) Decompression: Following AES decryption, the resource is decompressed, exposing a .NET Assembly without executable code but containing another encrypted resource. 

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

Cyberchef – AES+decompress

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

Nchya resource

This second resource undergoes further decryption using 3DES with a different key and initialization vector (IV). 

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

Cyberchef – TripleDES

PureCrypter Payloads  

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

EntryPoint of PureCrypter

Both staged and stage-less PureCrypter loaders ultimately share the same entry point, suggesting underlying similarities despite their differing encryption approaches. This shared entry point serves as the launching pad for two payload types: 

  • Third-party malware like AgentTesla. 
  • PureLogs, PureCrypter’s own malware specializing in data exfiltration. 

Third-party malware 

The initial steps of the AgentTesla payload follow a similar process to the stage-less loader: decrypting and loading a .NET Assembly resource. This decryption employs the same AES (Rijndael) encryption algorithm, suggesting a consistent approach within the PureCrypter framework. 

You can view the rest of the AgentTesla deployment process in the original post on ANY.RUN’s blog

For this article, let’s focus on Pure’s own malware, PureLogs. 

PureLogs Analysis 

PureLogs malware, disguised as a small .NET library, relies on a NET Reactor-protected loader for distribution and communication with its command-and-control (C2) server. Its primary function is data theft, achieved by the library being downloaded and loaded by the loader. 

However, communication with the C2 server isn’t straightforward. Analyzing the loading traffic reveals a multi-layered encryption process: 

First connection: 

  1. Encrypted messages: Both the loader’s initial message and the server’s response are encrypted. 
  1. Double encryption: The server’s response undergoes an additional layer of serialization and re-encryption with byte reversal. 
  1. 3DES encryption: The 3DES encryption method is utilized with a key stored within the loader’s resources. This key itself is further secured with an MD5 hash. 
  1. Transmission format: The loader sends the message size (4 bytes) followed by the encrypted data. 

This complex encryption scheme aims to obfuscate PureLogs’ communication and hinder analysis efforts. View a complete decryption here

The server’s response, after initial decryption, undergoes further processing. Like the initial message, it’s deserialized and re-encrypted using 3DES and GZIP compression. However, a final twist awaits: the entire data is reversed byte-by-byte. 

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

TripleDES+GZIP (you can immediately remove the first 4 bytes of length or use DROP)

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

After deserialization: TripleDES+GZIP+Reverse

As a result, a library responsible for stealing and exfiltrating data is obtained. It’s time to take a closer look at it. 

PureLogs: Multifaceted Stealer 

PureLogs, a multifunctional stealer, shares similarities with PureCrypter in its use of obfuscation techniques to impede analysis.  

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

ClassLibrary1

The class library features the “PlgCore” class, likely signifying “PureLogsCore.”  

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

Configuration data

This core component receives serialized data from a resource loaded by the loader from the Command & Control (C2) server. 

Data collection and encryption: 

1) Deserialization and Configuration: The library deserializes the received data and stores it as configuration settings. 

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

Configuration

2) Extensive Data Gathering: The library iterates through numerous functions, collecting a wide range of data from the infected system, including: 

  • Browser data and extensions 
  • Cryptocurrency wallet details 
  • User information 
  • Complete PC configuration details 
Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

System data

3) Serialization and Encryption: The gathered data is then serialized and encrypted for secure transmission. This involves compression and 3DES encryption using a pre-existing key. 

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

Data transmission (first 4 bytes indicate size, followed by the message)

Data Transmission: 

4) Hashing and Transmission: The prepared data undergoes three transmissions: 

  • The first and last transmissions contain hashes of the actual data for integrity checks. 
  • The second transmission carries the encrypted data itself, preceded by a 4-byte size indicator. 
Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

Decryption of the first message (the last one is identical)

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

Decryption of the data

This multi-step process, involving data collection, encryption, and hashing, aims to obfuscate the stolen information and make its analysis more challenging. 

PureMiner Analysis 

Researchers at ANY.RUN investigating PureLogs and PureCrypter also encountered another sample that shared the same features with other Pure malware. It followed an identical pattern: 4 bytes indicating data length and the transmission of the actual data.  

This consistency hinted at a shared communication approach. Further analysis highlighted a common encryption scheme as well, with both employing 3DES and MD5-encrypted keys. 

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

PureMiner bears a resemblance to PureLogs

Running the sample with administrative privileges in ANY.RUN exposed its tactic: the malware created a scheduled task for self-persistence and injected itself into legitimate processes.  

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

The process of restarting using cmd

The proto-buf configuration and strings mentioning XMRIG, a cryptocurrency miner, hinted at the malware’s potential purpose. 

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

Configuration

To understand the communication flow better, researchers decrypted the network traffic using the retrieved key and found the familiar 3DES encryption with the 4-byte length indicator.  

Stay Ahead of the Threats: Insights into Emerging Cybersecurity Trends for 2024

Decrypted traffic 

This allowed the researchers to conclude that the Pure malware family also includes a miner. 

Try ANY.RUN for free 

ANY.RUN is a trusted provider of an interactive malware analysis sandbox that has been at the forefront of cybersecurity innovation for over 7 years.  

The service offers fully interactive Windows and Linux virtual machines (VMs) for conducting both quick scanning of suspicious files and links, as well as in-depth investigations. 

 Try ANY.RUN’s malware sandbox for 14 days at no cost by requesting a trial. 











Source link