PureCrypter: A Fully-Functional Loader Distributing Remote Access Trojans and Information Stealers

PureCrypter, actively developed by the threat actor “PureCoder,” is a fully-functional loader designed to distribute Remote Access Trojans (RATs) and information stealers. Its architecture employs multiple stages, leveraging obfuscation and advanced techniques to bypass security solutions effectively.
The initial stage is a simple downloader disguised as a fake date console application. It downloads a .NET assembly from a command-and-control (C2) server, reversing the assembly’s bytes to evade detection. Subsequent stages employ obfuscated filenames and extensions, such as .jpg, .png, or .log, to mask malicious payloads.

Key Features of PureCrypter

Multi-Stage Obfuscation

• Stage 1: Disguised as a legitimate-looking application to download the next payload.
• Stage 2: Employs SmartAssembly obfuscation, adding assembly and resource resolvers to handle compressed or encrypted data.

Persistence Mechanisms

• Retrieves %APPDATA% and appends malicious payload filenames.
• Provides multiple startup options to ensure persistence across reboots.

Injection Techniques

PureCrypter uses several methods to inject malicious payloads:

• Process Hollowing: Creates a suspended process, unmapped memory, and writes malware into the process memory.
• Shellcode Execution: Runs embedded resources as shellcode within its own process.
• Assembly Loading: Loads resources as assemblies and invokes their entry points.

Anti-Detection and Anti-Analysis Capabilities

PureCrypter incorporates advanced anti-detection techniques, including:

• Environment Detection: Queries WMI objects like Win32_BIOS and Win32_ComputerSystem to detect virtual environments, checking for patterns like “VMware” or “Virtual.”
• Debugger Checks: Uses CheckRemoteDebuggerPresent and scans for modules like SbieDLL.dll to identify sandbox or debugger environments.
• Resolution-Based Detection: Verifies specific display resolutions to detect virtualized environments.

Communication and Payload Delivery

Discord and Telegram Integration

PureCrypter can send infection status updates to threat actors through Discord or Telegram using encrypted communication over TLS 1.2.

• Discord: Sends data via the DiscordWebHookUrl parameter.
• Telegram: Constructs URLs using tokens and chat IDs for status messages.

Injected Payloads

PureCrypter delivers various payloads, such as the SnakeKeylogger variant. These payloads are injected using techniques like process hollowing, ensuring their execution within compromised systems.

Conclusion

PureCrypter exemplifies the sophistication of modern malware loaders, leveraging multi-stage obfuscation, injection techniques, and anti-analysis measures. By incorporating communication with Discord and Telegram, it enhances operational efficiency for threat actors.
Organizations must stay vigilant, employing robust detection and mitigation strategies to combat threats like PureCrypter and the payloads it delivers, including RATs and information stealers.