A recent threat campaign distributed via Discord has been discovered to target government entities, according to Menlo Labs. The campaign, which employs the PureCrypter downloader and uses a compromised non-profit organisation’s domain as a Command and Control, was found to have delivered several types of malware, including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware. Menlo Labs believes the threat actor group will continue to use the compromised infrastructure as long as possible before moving on. The campaign was uncovered after Menlo’s Cloud Security Platform blocked password-protected archive files across multiple government customers in the Asia-Pacific and North America regions.
PureCrypter is an advanced downloader that downloads Remote Access Trojans (RATs) and Infostealers. It has been sold since March 2021 onβhxxps[://]purecoder.sellix.io/.β AgentTesla is an advanced backdoor with capabilities including stealing stored passwords from different browsers, clipboard logging, screen keylogging and screen capturing. In Menlo’s investigation, it found that AgentTesla establishes a connection to an FTP server where it stores the stolen victim’s credentials. The FTP server was found to have been taken over, and the leaked credentials for the domain were found online, suggesting that the threat actors used these credentials to gain access to the server.
In this campaign, Discord was used to host the payload, and a link to the payload is sent via email. To evade existing defenses, PureCrypter uses password-protected ZIP files. Menlo Labs found that PureCrypter is downloading AgentTesla as a secondary malware. The downloaded binary is packed to evade initial detection and contains the AgentTesla payload encrypted in the resource section using the DES algorithm. AgentTesla uses a process hollowing technique to inject its payload. The email addresses used to distribute the malware were found to be connected to other malicious activities. The FTP server was also seen in a campaign using OneNote to deliver malware. Attackers have been sending phishing emails with links to malicious OneNote files that can download additional malware or steal information from the victim’s device.
Here you could find more technical details: https://www.menlosecurity.com/blog/purecrypter-targets-government-entities-through-discord/