A recent comprehensive analysis of the Pure Malware Family has been released, providing critical information about PureCrypter, PureLogs, and PureMiner.ANY. RUN has revealed that these tools are being disguised as legitimate software intended for educational purposes, yet they are in fact powerful malicious tools. This new information sheds light on the deceptive nature of the Pure Malware Family and the potential threat it poses to the industry.
PureCoder products were initially distributed in March 2021, according to the developer’s old website. The current website claims that the software is used for penetration testing and educational purposes. However, upon closer examination, it becomes clear that the code is being used for malicious activities.
In recent updates, Telegram bots have been noted in Pure’s operations since March 2023. These bots are used to automate and anonymize the process of purchasing malware, indicating that the author of Pure is expanding and refining their service. The products distributed under the guise of “educational purposes” include hidden HVNC, botnets, and silent miners, which is cause for concern.
Furthermore, Pure requires users to make cryptocurrency payments in Bitcoin, and more than one Bitcoin wallet is available on the payment page. This suggests the use of a Bitcoin mixer, further complicating the traceability of transactions carried out by the group.
Recent discoveries by ANY.RUN have highlighted the use of T1036.005 in over 98,500 malicious samples. This information provides valuable insight into the tactics, techniques, and procedures used by attackers in 2023, which can help predict what to expect in 2024.
PureCrypter, a crypter with encryption and data obfuscation algorithms, makes analysis more challenging for researchers. Its behavior flow consists of staged and stage-less payload stages, utilizing various libraries to handle data encryption and decryption. This complex process is designed to prevent antivirus software from detecting malware.
PureLogs, a data theft library, is also part of the Pure family of malware. Its behavior is similar to that of PureCrypter, utilizing obfuscation and encryption techniques to complicate its analysis. Experts have discovered distinct samples with signatures similar to PureCrypter and PureLogs, indicating the continued development and expansion of the Pure Malware Family.
PureMiner, another component of the Pure Malware Family, gathers system information and sends it to a central command and control (C2) server. It then receives instructions for cryptocurrency mining, further highlighting the dangerous capabilities of the Pure Malware Family.
It is clear from the extensive code analysis that the Pure Malware Family poses a significant threat to the industry. The use of deceptive tactics and sophisticated techniques by the developers suggests that the proliferation of this malware is likely to increase in the near future.
Security researchers and analysts can utilize the ANY.RUN platform to conduct in-depth investigations into the top threats and collect detailed reports on their behavior. With over 300,000 analysts using the platform worldwide, it provides a valuable resource for combating the growing danger posed by the Pure Malware Family.
In conclusion, the release of this detailed examination of the Pure Malware Family has provided vital information to the industry, shedding light on the deceptive nature of these malicious tools. As the threat posed by the Pure Malware Family continues to evolve, it is essential for security professionals to remain vigilant and utilize the resources available to combat this growing danger.