Cybersecurity researchers have observed the activity of a more advanced version of a fully-functional malware loader dubbed PureCrypter that has been actively distributing remote access Trojans (RATs) and information stealers since March 2021. Notorious malware samples delivered using PureCrypter include AsyncRAT, LokiBot, Remcos, Warzone RAT, NanoCore, Arkei Stealer, and RedLine Stealer. The updated features of the PureCrypter malware loader include new modules enriched with additional anti-analysis techniques, advanced encryption, and obfuscation enabling malware operators to evade detection.
To detect the malicious activity associated with PureCrypter malware loader and prevent attacks against your infrastructure, grab a dedicated Sigma rule by our seasoned Threat Bounty developer Osman Demir. Join Threat Bounty Program to take your professional skills to the next level by writing your own detection content and receiving recognition from the global cybersecurity community for your contribution.
To access the dedicated Sigma rule, make sure to sign up or log into SOC Prime’s platform. This rule detects PureCrypter loader persistence reached by adding entries to the registry run key:
Suspicious PureCrypter Loader Persistence by Adding of Run Key to Registry (via registry_event)
The detection supports translations to 19 SIEM, EDR & XDR formats and is mapped to the MITRE ATT&CK® framework addressing the Persistence tactic with Boot or Logon Autostart Execution (T1547) as the main technique.
Registered SOC Prime users can timely identify the malware strains in their infrastructure and constantly keep abreast of emerging threats by leveraging an immense library of curated detection rules and hunting queries available in the Detection as Code platform. Click the Detect & Hunt button to drill down to a full collection of Sigma rules to detect multiple RATs and proactively defend against related malware. Striving to keep up with the latest trends shaping the current cyber threat landscape and dive into relevant threat context? Browse SOC Prime to instantly search for top threats, look for particular APTs or exploits, reach the newly released Sigma rules, and explore relevant contextual information in a single place.
Detect & Hunt Explore Threat Context
The recent Zscaler cybersecurity research has provided insights into the evolution of PureCrypter loader, which has been in the cyber threat arena for over one year distributing multiple malware strains, including RATs and infostealers. The malware loader is actively being sold and promoted by its developer acting under the moniker “PureCoder”.
The infection chain contains two stages. In the first stage, a simple .NET PureCrypter downloader launches a more sophisticated second-stage module, which serves as the major payload and further injects the final malware, like a RAT or an info stealer as part of another process, for instance, MSBuild.
The PureCrypter loader author has enriched the new malware variant with the ability to send an infection status message via Discord and Telegram. Other PureCrypter features within an upgraded malware version include persistence, injection, and defense mechanisms along with more sophisticated encryption and obfuscation techniques to bypass detection. The advanced capability of PureCrypter injector to gain persistence at startup and the use of Google’s Protocol format makes it harder to detect by standard anti-virus software.
In view of evolving capabilities of PureCrypter malware loader and the growing scope of its impact, InfoSec professionals are looking for ways to reinforce their cyber defense potential to be ready to withstand the threat. SOC Prime’s Detection as Code platform provides organizations with different levels of cybersecurity maturity with future-proof threat detection and hunting capabilities tailored to unique business needs and multiple SIEM, EDR, and XDR environments. Individual cybersecurity researchers and threat hunters can unlock profound opportunities for self-advancement by joining Threat Bounty Program, submitting their own Sigma and YARA rules, and monetizing their threat detection efforts.