A new campaign now impersonates Ukrainian government agencies in phishing attacks to deliver CountLoader, which subsequently drops Amatera Stealer and PureMiner.
“The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments,” Fortinet FortiGuard Labs researcher Yurren Wan said.
During the attack chains documented by the cybersecurity company, the attackers use the SVG files to initiate the download of a password-protected ZIP archive containing a Compiled HTML Help (CHM) file. Once launched, the CHM file triggers a sequence of events that culminates in the deployment of CountLoader. Moreover, the email messages claim to be a notice from the National Police of Ukraine.
Silent Push recently analyzed CountLoader and found that it can drop various payloads like Cobalt Strike, AdaptixC2, and PureHVNC RAT. However, in this campaign, the malware distributes Amatera Stealer, a variant of ACRStealer, and PureMiner, a stealthy .NET cryptocurrency miner.
Furthermore, both PureHVNC RAT and PureMiner belong to a broader malware suite created by a threat actor known as PureCoder. Some of the other products from the same author include –
- PureCrypter, a crypter for Native and .NET
- PureRAT (aka ResolverRAT), a successor to PureHVNC RAT
- PureLogs, an information stealer and logger
- BlueLoader, malware that acts as a botnet by downloading and executing payloads remotely
- PureClipper, a clipper malware that replaces cryptocurrency addresses copied into the clipboard with attacker-controlled wallet addresses to steal funds
According to Fortinet, the attackers deploy both Amatera Stealer and PureMiner as fileless threats, with the malware “executed via .NET Ahead-of-Time (AOT) compilation with process hollowing or loaded directly into memory using PythonMemoryModule.”
Once launched, Amatera Stealer collects system information, gather files matching a predefined list of extensions, and extracts data from Chromium- and Gecko-based browsers. In addition, it harvests information from applications like Steam, Telegram, FileZilla, and various cryptocurrency wallets.
“This phishing campaign demonstrates how a malicious SVG file can act as an HTML substitute to initiate an infection chain,” Fortinet said. “In this case, attackers specifically targeted Ukrainian government entities with emails containing SVG attachments. The SVG-embedded HTML code then redirected victims to a download site.”
PXA Stealer
Meanwhile, Huntress uncovered a likely Vietnamese-speaking threat group that used phishing emails with copyright infringement notice themes to trick recipients into launching ZIP archives. These archives eventually deployed PXA Stealer, which evolved into a multi-layered infection sequence that dropped PureRAT.
“This campaign demonstrates a clear and deliberate progression, starting with a simple phishing lure and escalating through layers of in-memory loaders, defense evasion, and credential theft,” security researcher James Northey said. “The final payload, PureRAT, represents the culmination of this effort: a modular, professionally developed backdoor that gives the attacker complete control over a compromised host.”
“Their progression from amateurish obfuscation of their Python payloads to abusing commodity malware like PureRAT shows not just persistence, but also hallmarks of a serious and maturing operator.”
Source: TheHackerNews
Read more at Impreza News
