According to security researchers at Menlo Security, an unknown threat actor is currently targeting APAC and North American governments with the malicious information stealing malware known as PureCrypter. The group leveraging the malware starts their attacks with a phishing email containing a malicious Discord link. The link points to a password-protected zip file that downloads the malware. Security researchers report that the loader will try to download a secondary payload from command and control infrastructure. However, PureCrypter is not the only malicious payload used in this campaign. Menlo Security has also identified other ransomware variants including Redline Stealer, AgentTesla, Eternity, Blackmoon, and Philadelphia ransomware.
Security experts at Menlo analyzed a sample that revealed PureCrypter attempts to download the advanced password-stealing backdoor AgentTesla during the attack. AgentTesla establishes a connection to an FTP server to store victim’s credentials on. The FTP server was also observed in a separate campaign using OneNote to deliver malware. In total, Menlo Security identified 106 files using the FTP server.
Read More: Governments Targeted by Discord-Based Threat Campaign