cognitive cybersecurity intelligence

News and Analysis


Legitimate Software Disguised by Pure Malware Tools

Hey there, Bay Area health and tech enthusiasts! I recently came across some cybersecurity news that I think you should know about. It involves a sneaky new kind of malware hiding behind the guise of legit software, and it’s causing quite a stir in the cybersecurity community.

A group of analysts at ANY.RUN (they’re the folks that do the heavy work of malware analysis for SOC and DFIR teams) made the discovery. Now, isn’t that something? Every day, about 300,000 pros are using ANY.RUN to dig deep into cyber threats, making our digital world a little safer.

Here’s the lowdown: there’s this tool called Pure, initially distributed in March 2021 according to the developer’s old site. But hold on, the new site proclaims the software is purely for educational and testing pursuits. However, what we’re seeing tells a different story. The way the software behaves suggests its purpose isn’t so innocent after all. In fact, talk is spreading about the infamous Pure making use of Telegram bot sales. The bots come in handy in automating malicious dealings, making them harder to pin down.

ANY.RUN recently found evidence of a technique known as T1036.005 on over 98,500 samples. These findings give us valuable insights into potential threats we might see in 2024. That’s some futuristic detective work right there!

To set things straight, let’s look at the key players from Pure that are masquerading as legit, but are sneaky pieces of malware.

Firstly, we have PureCrypter. This slippery customer uses complex encryption algorithms to make itself invisible to antivirus tools. Super inconvenient for those trying to uncover it, right?

Then we have PureLogs Loader. This troublemaker is commonly spread through a loader, a small piece of software meant to trigger the full program. It uses a minuscule library to perform data theft, fetching its library from a C2 server.

Lastly, there’s PureLogs, a sneaky stealer that uses obfuscation just like PureCrypter to muddle its tracks. Occasionally, it gets mistaken for something named ZGRat, another handcrafter of digital mischief.

In their research, these pros found unique samples showing similarities to PureCrypter and PureLogs. They had the same kind of digital fingerprints, such as identical traffic patterns, 3DES encryption, and a structure mimicking PureCrypter and PureLogs. Even PureMiner, another tool from the cryptic Pure family, was found guilty of this trickery.

Despite their claims of educational intentions, these tools are secretly ferrying harmful elements like botnets and hidden HVNCs. You know it’s real when on Pure’s site, they actually witness substantial monthly trades using Bitcoin. To give you an idea, wallet activity noticed from May 19-26, 2023, already summed up to an astonishing $32,000 from 250 transactions.

Just so you know, this “educational” software is being spread via a Telegram bot, another nifty means to disguise its true intentions. With regular orders, one can only predict this malware might become a bigger, bothersome blip on our cybersecurity radar.

Hope you found this 411 intriguing. It’s always good to stay vigilant in this rapidly-evolving era of tech. Let’s keep an eye out for these sneaky malware tools while also appreciating the good tech around us.

by Morgan Phisher | HEAL Security

Subscribe to newsletter

Subscribe to HEAL Security Dispatch for the latest healthcare cybersecurity news and analysis.

More Posts