A new campaign has been observed to deliver Ukrainian government agencies in fishing attachments CountingWhich is then used to leave Amatra steeler And Purminer,
“Fishing emails include malicious scalable vector graphics (SVG) files designed to prepare the recipients to open harmful attachments,” the Fortinet Fortigard Labs researcher Yuran Wan said in a report shared with hacker news.
In the attack chain documented by the cyber security company, SVG files are used to introduce the download of password-protected zip collection, which consists of a compiled HTML aid (CHM) file. The CHM file, when launched, activates a series of events that conclude in the counting of countloader. The email message claims to have a notice from Ukraine’s National Police.
Count loader, which was the theme of recent analysis by silent push, has been found to release various payloads such as cobalt strikes, adaptics 2 and purhveenak rats. In this attack series, however, it acts as a distribution vector for the Amatra Stealer, which is a type of Acrstealer, and pereminer, a secretly .Net cryptocurrency miner.
It is worth indicating that Purehvnc rats and pereminer are part of a broad malware suit developed by a danger actor known as PureCoder. Some other products of the same writer include –
- Purecrypter, a crypter for native and .NET
- Purerat (Aka Resolverrat), successor of Purehvnc Rat
- Purelogs, a information stolen and woodcutter
- Blueloder, a malware that can act as a botnet by downloading and executing the payload from a distance
- Pureclipper, a clipper malware that replaces the cryptocurrency address, copied to the clipboard with an attacker-controlled wallet address.
According to Fortinet, both Amatera Staller and Permener have been deployed as fileless hazards, executed via .NET with malware.
Ametera Stealer, once launched, collects the system information, collects files matching a predetermined list of extensions, and hits data from chromium- and gaco-based browsers, as well as steam, telegram, filezilla and various cryptocurrency wallets such as applications.
“This phishing campaign shows how a malicious SVG file can serve as an HTML option to start a transition chain,” Fortinet said. In this case, the attackers targeted Ukrainian government institutions with emails with SVG attachment. SVG-Mbedded HTML code redendered the victims to a download site. ,
As development, Hantress highlighted a potentially Vietnamese-Dancing Group, using a fishing email affecting copyright violations, which is to trick the recipients in launching the zip archives, which leads to the deployment of PXA Steel, which develops to leave a multi-level infection.
“This campaign demonstrates a clear and deliberate progress, begins with a simple phishing greed and grows through layers of in-memory loader, defense theft and credentials,” said security researcher James Northe. “The final payload, the prize, represents the culmination of this effort: a modular, professionally developed backdoor that gives complete control over a compromised host to the attacker.”
“Their progress from their pythan payloads obediently shows their progress, not only perseverance to misbehave commodity malware, but also the hallmark of a serious and mature operator.”
