Unknown Threat Actors Target Government Entities Worldwide with PureCrypter Malware
Multiple government entities in North America and the Asia Pacific region have been targeted by currently unknown threat actors using the PureCrypter downloader malware. Through a Discord URL pointing to an encrypted ZIP archive as an initial attack vector, PureCryptor is used to install additional malware such as Agent Tesla, Eternity, and Blackmoon on the victim system. A sample of the campaign’s PureCrypter malware variant was analyzed by researchers, who determined that the malware leveraged Agent Tesla to connect to a compromised FTP server of a non-profit organization in Pakistan where exfiltrated data was being sent. The Agent Tesla malware allows threat actors to exfiltrate login credentials and further escalate attacks over time while avoiding detection by leveraging process injection, whereby the Agent Tesla executable code is injected into the process memory of a legitimate program. Agent Tesla also has the capability to screen capture and steal login credentials saved to a web browser or clipboard. CTIX analysts will continue to monitor attacks by this new threat actor and will provide updates accordingly.
- Bleeping Computer: PureCrypter Article
- The Hacker News: PureCrypter Article
- Menlo Security: PureCrypter Blog Post
Threat Actor Activity
Blind Eagle Actors Target Columbia
Threat actors from the Blind Eagle (APT-C-36) organization have been the source of an ongoing campaign against Columbian entities. Blind Eagle actors are known for their continued targeting of financial and government entities throughout Latin America. Ongoing since 2019, these threat actors have been distributing a variety of themed phishing emails attempting to compromise multiple users to gain access to company infrastructure. One instance observed by researchers demonstrated the use of fake tax documentation claiming to originate from Columbia's Directorate of National Taxes & Customs (DIAN). This type of lure has been used multiple times since the start of the campaign, as end-users often feel inclined to pay outstanding balances to tax agencies and uphold a good reputation with them. Embedded within these phishing emails was a fraudulent link to DIAN's official website that, once clicked, loaded a threat actor-controlled website. After downloading a fraudulent PDF document from a Discord CDN, additional code is executed from the malicious PDF and eventually installs AsyncRAT onto the compromised system. While Columbia appears to be the main target of this 4-year campaign, additional countries including Ecuador, Chile, and Spain have also been targeted. CTIX analysts continue to monitor threat activity throughout the threat landscape and will provide additional updates accordingly.
WordPress Plugin for Real Estate Websites Contains Vulnerabilities Allowing for Website Takeover
Threat actors are actively-exploiting two (2) vulnerabilities in a premium WordPress plugin/theme mainly used for real estate websites called Houzez. Claiming to serve more than 35,000 customers, ThemeForest's Houzez plugin offers simple tools that allow administrators to manage their agency's client listings, while providing content and a streamlined public-facing interface designed to provide the best customer service possible. Both vulnerabilities are privilege escalation flaws receiving CVSS scores of 9.8/10, making them both critical. The first vulnerability, tracked as CVE-2023-26540, stems from a security misconfiguration and affects all Houzez versions 2.7.1 or earlier. An unauthenticated threat actor could exploit this flaw to escalate their low-privilege accounts to high-privilege accounts, allowing them to ultimately take full control of the website. The second vulnerability, tracked as CVE-2023-26009, exists in Houzes’ Login Register plugins in versions 2.6.3 and earlier, and also allows for a complete site takeover. The threat actors exploiting these flaws were observed uploading backdoors "capable of executing commands, injecting ads on the website, or redirecting traffic to other malicious sites." As stated, these vulnerabilities are under active-exploitation, and CTIX analysts recommend that all Houzez users ensure they are running the updated plugin to prevent exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (email@example.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.