A .NET program-based PureLogs stealer developed by the cybercriminal group PureCoder is available for sale on the cybercrime forum, according to research by the Cyble Research and Intelligence Labs (CRIL). Users based in Italy were targeted with this malware on 14 December 2022 by the cybercriminal group Alibaba2044.
CRIL researchers came across a tweet that mentioned Italy being targeted by Alibaba2044
“During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) came across a tweet about PureLogs information stealer by TG Soft. This tool is used by the Threat Actor (TA) “Alibaba2044” to launch a malicious spam campaign at targets based in Italy on the 14th of December 2022,” said the CRIL report.
Tweet showing the target and threat actor using PureLogs stealer (Source: Cyble)
The cyberattack is launched by sending a spam email that has a link to a download which is a password-protected zip file and the password to open the link. This malicious zip file has a cabinet file that appears like a batch file. The malware starts infecting the device upon opening the batch file.
PureLogs stealer capabilities
Once the file is downloaded, another zip file with a Windows cabinet file camouflaged as a bat file DOC9848_pdf.bat runs once the user clicks it. It drops a .NET executable x.exe in the temp folder with sha256 a843517b019e86af42252b568e06dfe91a22f9034ceb996f5b0df32dcc1e4274. Upon execution of this file which has a malicious payload, the system data gets encrypted.
Data encryption (Source: Cyble)
The decrypted payload which is a PureLogs DLL file is then stored in the memory at runtime. The malicious payload is injected in PureLogs using Assembly.Load() method. PureLogs is on sale for $99 for a year-long subscription.
It can steal browser data, details from crypto wallets, the FTP clients app, emails, etc. It can also gain access to passwords, autofill data, cookies and history. Among the crypto wallets, it boasts of hacking data from FileZilla, WinSCP, Outlook, Thunderbird, Telegram, OpenVPN and ProtonVPN among others.
PureLogs Stealer endorsement on the cybercrime forum (Source: Cyble)
PureCoder sells software on the cybercrime forum
PureCoder has made several offers for their developed malicious software and otherwise. The group developed PureCrypter besides PureLogs stealer. The .NET-based PureCrypter that has detection evading capabilities is available for $59 a month on subscription. It has obfuscation capabilities that make it evade detection like the others malware.
Another malware called PureMiner was also found on sale which can be used for bots, mining ETHW, downloading, executing, and updating files, running on RAM, not dropping files, running on startup, and so on. Its cost is $99. Other sold malware includes the BlueLoader botnet, and PureHVNC sold for $99 per year.
With a fixation with on the word Pure in the malware, PureHVNC is said to work on chrome, edge, brave, etc. It has a high-quality stub coded in .NET 4.0 and is cryptable with pure crypter, according to the advertisement on the dark web.
