A new campaign has been observed impersonating Ukrainian government agencies in phishing attacks to deliver CountLoader, which is then used to drop Amatera Stealer and PureMiner.
“The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments,” Fortinet FortiGuard Labs researcher Yurren Wan said in a report shared with The Hacker News.
In the attack chains documented by the cybersecurity company, the SVG files are used to initiate the download of a password-protected ZIP archive, which contains a Compiled HTML Help (CHM) file. The CHM file, when launched, activates a chain of events that culminate in the deployment of CountLoader. The email messages claim to be a notice from the National Police of Ukraine.
CountLoader, which was the subject of a recent analysis by Silent Push, has been found to drop various payloads like Cobalt Strike, AdaptixC2, and PureHVNC RAT. In this attack chain, however, it serves as a distribution vector for Amatera Stealer, a variant of ACRStealer, and PureMiner, a stealthy .NET cryptocurrency miner.
It’s worth pointing out that both PureHVNC RAT and PureMiner are part of a broader malware suite developed by a threat actor known as PureCoder. Some of the other products from the same author include –
- PureCrypter, a crypter for Native and .NET
- PureRAT (aka ResolverRAT), a successor to PureHVNC RAT
- PureLogs, an information stealer and logger
- BlueLoader, a malware that can act as a botnet by downloading and executing payloads remotely
- PureClipper, a clipper malware that substitutes cryptocurrency addresses copied into the clipboard with attacker-controlled wallet addresses to redirect transactions and steal funds
According to Fortinet, Amatera Stealer and PureMiner are both deployed as fileless threats, with the malware “executed via .NET Ahead-of-Time (AOT) compilation with process hollowing or loaded directly into memory using PythonMemoryModule.”
Amatera Stealer, once launched, gathers system information, collects files matching a predefined list of extensions, and harvests data from Chromium- and Gecko-based browsers, as well as applications like Steam, Telegram, FileZilla, and various cryptocurrency wallets.
“This phishing campaign demonstrates how a malicious SVG file can act as an HTML substitute to initiate an infection chain,” Fortinet said. In this case, attackers targeted Ukrainian government entities with emails containing SVG attachments. The SVG-embedded HTML code redirected victims to a download site.”
The development comes as Huntress uncovered a likely Vietnamese-speaking threat group using phishing emails bearing copyright infringement notice themes to trick recipients into launching ZIP archives that lead to the deployment of PXA Stealer, which then evolves into a multi-layered infection sequence dropping PureRAT.
“This campaign demonstrates a clear and deliberate…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
