Inside the PureRAT Attack: From Info Stealer to Full Control
▼ Summary
– The attack began with a phishing email using a ZIP archive that employed DLL sideloading to execute malicious code via a legitimate PDF reader.
– Attackers used multiple obfuscated Python loaders with encryption and in-memory execution to deploy an information stealer that harvested browser data and exfiltrated it via Telegram.
– The campaign pivoted to .NET executables using process hollowing to inject malware into RegAsm.exe and employed defense evasion by patching AMSI and ETW.
– The final payload was PureRAT, a modular remote access trojan with encrypted C2 communication, host fingerprinting, and capabilities for dynamic plugin loading.
– Attribution points to the PXA Stealer group via Telegram handle @LoneNone and Vietnamese C2 infrastructure, showing a progression to using commercial malware for enhanced persistence and control.
A sophisticated cyberattack initially appearing as a typical Python-based information stealer campaign has been uncovered, revealing a far more dangerous progression into deploying the full-featured PureRAT remote access trojan. This multi-stage intrusion combines custom-developed tools with commercially available malware, demonstrating a deliberate escalation from credential theft to complete system control. Security teams need to understand this advanced attack chain to effectively defend their networks.
The campaign begins conventionally with a phishing email distributing a ZIP file disguised as a copyright notice. Inside, a legitimate PDF reader executable is paired with a malicious DLL, employing a classic sideloading technique to trigger the infection. The malicious DLL leverages Windows utilities to decode and extract subsequent payloads, initiating a complex sequence of in-memory loaders.
Multiple layers of obfuscation define the early stages. The attack utilizes a renamed Python interpreter to run heavily obfuscated scripts, which themselves decode further payloads entirely in memory. A custom cryptographic loader employing RSA, AES, RC4, and XOR encryption follows, decrypting the next stage. This stage establishes persistence by creating a deceptive “Windows Update Service” registry run key, ensuring the malware reactivates after every system reboot. It then dynamically retrieves the next payload using Telegram bot descriptions and URL shorteners, providing the attackers with a flexible update mechanism.
The campaign then delivers its first weaponized payload: a Python information stealer. This component harvests sensitive data including browser credentials, cookies, credit card information, and autofill data from Chrome and Firefox. All stolen information is compressed into a ZIP file, which is exfiltrated via the Telegram Bot API. Metadata within the archive points to the Telegram handle @LoneNone, publicly associated with the PXA Stealer malware family, offering a strong attribution clue.
A significant pivot occurs as the attack shifts from Python scripts to compiled .NET executables. A larger payload is retrieved from a no-frills file hosting service. This stage contains an encrypted .NET assembly that is deployed using process hollowing. The malicious code is injected into a suspended, legitimate RegAsm.exe process, executing under the guise of a trusted Microsoft binary.
This .NET payload performs critical defense evasion by patching the Antimalware Scan Interface (AMSI) and unhooking Event Tracing for Windows (ETW) to blind security products. It contains yet another embedded payload, which is decrypted and loaded directly into memory using .NET reflection. This loader, in turn, uses AES-256 and GZip to unpack the final stage: a DLL protected with the .NET Reactor obfuscator.
After deobfuscation, the final payload is identified as PureRAT. Its configuration is extracted from a Base64 blob, which is GZip decompressed and deserialized using Protocol Buffers. The config reveals the command-and-control server IP in Vietnam, a list of ports, and an X.509 certificate used for TLS pinning, ensuring encrypted and resilient communications.
Upon connection, the RAT conducts exhaustive host fingerprinting. It gathers data on installed antivirus software, creates a unique host ID from hardware identifiers, checks for webcams, enumerates user privileges and the operating system, and searches for the presence of dozens of cryptocurrency wallets. This wealth of information is sent to the C2 server in an initial handshake.
The malware then enters a persistent tasking loop, awaiting commands from the operator. This architecture allows the attacker to push down additional modules on demand, dynamically extending the RAT’s capabilities for activities like real-time surveillance, keylogging, or hidden desktop access. The use of .NET namespaces related to PureHVNC and other tools from the developer “PureCoder” confirms the malware’s lineage within this commodity family.
The recurring infrastructure, metadata links to @LoneNone, and Vietnamese C2 server strongly suggest the involvement of the PXA Stealer group. Their evolution from basic Python obfuscation to leveraging a professional-grade RAT like PureRAT signals a maturing and serious threat actor. This campaign highlights the critical need for defense-in-depth, as no single security control could have stopped the entire multi-faceted attack chain. Vigilance against the specific behaviors exhibited, from the abuse of trusted utilities to encrypted C2 traffic, is essential for building a resilient security posture.
MITRE ATT&CK Mapping
- Initial Access: Spearphishing Attachment (T1566.001)Indicators of Compromise
- IP Address: 157.66.26[.]209 (PureRAT C2 Server)
(Source: Bleeping Computer)
