May 31, 2025Ravie LakshmananMalware / Cyber Crime A multinational law enforcement operation has resulted in the takedown of an online cybercrime syndicate that offered services to threat actors to ensure that their malicious software stayed undetected from security software. To that effect, the U.S. Department of Justice (DoJ) said it seized four domains and their associated server facilitated the crypting service on May 27, 2025, in partnership with Dutch and Finnish authorities. These include AvCheck[.]net, Cryptor[.]biz, and Crypt[.]guru, all of which now display a seizure notice. Other countries that participated in the effort include France, Germany, Denmark, Portugal, and Ukraine. "Crypting is the process of using software to make malware difficult for antivirus programs to detect," the DoJ said. "The seized domains offered services to cybercriminals, including counter-antivirus (CAV) tools. When used together, CAV and crypting services allow criminals to obfuscate malware, making it undetectable and enabling unauthorized access to computer systems." The DoJ said authorities made undercover purchases to analyze the services and confirmed that they were being used for cybercrime. In a coordinated announcement, Dutch officials characterized AvCheck as one of the largest CAV services used by bad actors around the world. According to snapshots captured by the Internet Archive, AvCheck[.]net billed itself as a "high-speed antivirus scantime checker," offering the ability for registered users to scan their files against 26 antivirus engines, as well as domains and IP addresses with 22 antivirus engines and blocklists. The domain seizures were conducted as part of Operation Endgame, an ongoing global effort launched in 2024 to dismantle cybercrime. It marks the fourth major action in recent weeks after the disruption of Lumma Stealer, DanaBot, and hundreds of domains and servers used by various malware families to deliver ransomware. "Cybercriminals don't just create malware; they perfect it for maximum destruction," said FBI Houston Special Agent in Charge Douglas Williams. "By leveraging counter-antivirus services, malicious actors refine their weapons against the world's toughest security systems to better slip past firewalls, evade forensic analysis, and wreak havoc across victims' systems." The development comes as eSentire detailed PureCrypter, a malware-as-a-service (MaaS) solution that's being used to distribute information stealers like Lumma and Rhadamanthys using the ClickFix initial access vector. Marketed on Hackforums[.]net by a threat actor named PureCoder for $159 for three months, $399 for one year, or $799 for lifetime access, the crypter is distributed using an automated Telegram channel, @ThePureBot, which also serves as a marketplace for other offerings, including PureRAT and PureLogs. Like other purveyors of such tools, PureCoder requires users to acknowledge a Terms of Service (ToS) agreement that claims the software is meant only for educational purposes and that any violations would result in immediate revocation of their access and serial key. The malware also incorporates the ability to patch the NtManageHotPatch API in memory on Windows machines running 24H2 or newer to re-enable process hollowing-based code injection. The findings demonstrate how threat actors quickly adapt and devise ways to defeat new security mechanisms. "The malware employs multiple evasion techniques including AMSI bypass, DLL unhooking, anti-VM detection, anti-debugging measures, and recently added capabilities to bypass Windows 11 24H2 security features through NtManageHotPatch API patching," the Canadian cybersecurity company said. "The developers use deceptive marketing tactics by promoting 'Fully UnDetected' (FUD) status based on AvCheck[.]net results, while VirusTotal shows detection by multiple AV/EDR solutions, revealing significant discrepancies in detection rates." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

May 21, 2025Ravie LakshmananMalware / Windows Security Russian organizations have become the target of a phishing campaign that distributes malware called PureRAT, according to new findings from Kaspersky. "The campaign aimed at Russian business began back in March 2023, but in the first third of 2025 the number of attacks quadrupled compared to the same period in 2024," the cybersecurity vendor said. The attack chains, which have not been attributed to any specific threat actor, commence with a phishing email that contains a RAR file attachment or a link to the archive that masquerades as a Microsoft Word or a PDF document by making use of double extensions ("doc_054_[redacted].pdf.rar"). Present within the archive file is an executable that, when launched, copies itself to the "%AppData%" location of the compromised Windows machine under the name "task.exe" and creates a Visual Basic Script called "Task.vbs" in the Startup VBS folder. The executable then proceeds to unpack another executable "ckcfb.exe", runs the system utility "InstallUtil.exe," and injects into it the decrypted module. "Ckcfb.exe," for its part, extracts and decrypts a DLL file "Spydgozoi.dll" that incorporates the main payload of the PureRAT malware. PureRAT establishes SSL connections with a command-and-control (C2) server and transmits system information, including details about the antivirus products installed, the computer name, and the time elapsed since the system startup. In response, the C2 server sends auxiliary modules to perform a variety of malicious actions - PluginPcOption, which is capable of executing commands for self-deletion, restarting the executable file, and shutting down or rebooting the computer PluginWindowNotify, which checks the name of the active window for keywords like password, bank, WhatsApp, and perform appropriate follow-up actions like unauthorized fund transfers PluginClipper, which functions as a clipper malware by substituting cryptocurrency wallet addresses copied to the system's clipboard with an attacker-controlled one "The Trojan includes modules for downloading and running arbitrary files that provide full access to the file system, registry, processes, camera and microphone, implement keylogger functionality, and give attackers the ability to secretly control the computer using the remote desktop principle," Kaspersky said. The original executable that launches "ckcfb.exe" simultaneously also extracts a second binary referred to as "StilKrip.exe," which is a commercially available downloader dubbed PureCrypter that has been used to deliver various payloads in the past. It's active since 2022. "StilKrip.exe" is designed to download "Bghwwhmlr.wav," which follows the aforementioned attack sequence to run "InstallUtil.exe" and ultimately launch "Ttcxxewxtly.exe," an executable that unpacks and runs a DLL payload called PureLogs ("Bftvbho.dll"). PureLogs is an off-the-shelf information stealer that can harvest data from web browsers, email clients, VPN services, messaging apps, wallet browser extensions, password managers, cryptocurrency wallet apps, and other programs like FileZilla and WinSCP. "The PureRAT backdoor and PureLogs stealer have broad functionality that allows attackers to gain unlimited access to infected systems and confidential organization data," Kaspersky said. "The main vector of attacks on businesses has been and remains emails with malicious attachments or links." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    