Priya PatelTLDR:
Security analysts have discovered that Pure malware tools are disguising themselves as legitimate software in order to avoid detection. These tools were initially distributed in March 2021, and while the current Pure site claims that the software is only for educational and testing purposes, it has been used for illicit activities. The Pure updates since March 2023 have focused on the sales of Telegram bots, which automate and anonymize malware purchases. In Q4, over 98,500 malicious samples were found to be using Pure malware tools.
Key points:
- Pure malware tools are masquerading as legitimate software to evade detection.
- The tools were initially distributed in March 2021, and are now being used for illicit purposes.
- Recent updates to the Pure site have focused on the sales of Telegram bots.
- In Q4, over 98,500 malicious samples were found to be using Pure malware tools.
Recently, security analysts at ANY.RUN discovered that the Pure malware tools are masquerading as legitimate software to evade detection. ANY.RUN is a cloud malware sandbox used by security professionals to investigate incidents and streamline threat analysis. The PureCoder products were initially distributed in March 2021, as per the developer’s old website. While the current Pure site claims that the software is only for education and testing purposes, the observed trend shows that the code is also used for several illicit purposes.
The Pure updates since March 2023 mentioned the sales of Telegram bots, which automate and anonymize malware purchases. The author of Pure expands the service, explores new channels, and scales up through bot usage. In Q4, ANY.RUN discovered the use of T1036.005 in over 98,500 malicious samples.
Some of the Pure malware tools masquerading as legitimate software include:
- PureCrypter: A crypter that deploys data obfuscation and encryption algorithms to hide malware from AV tools and make analysis difficult.
- PureLogs Loader: Malware frequently distributed via a loader with NET Reactor protection that steals data using a tiny library obtained from a C2 server.
- PureLogs: A versatile stealer that employs obfuscation techniques for analysis complexity, often mistaken for ZGRat.
- PureMiner: Silent miners, botnets, and hidden HVNC tools that are docked as silent crypto miners.
The popularity of these tools is evident on Pure’s site, with monthly purchases in high demand. Users make crypto payments in Bitcoin, facilitated by various wallets, possibly part of a Bitcoin mixer. Wallet activity detected in May 2023 already totals 250 transactions for a significant amount of $32,000 on Blockchain.com. The tools are distributed via a Telegram bot, and their popularity is expected to surge rapidly.
