By rssfeeds-admin 
The investigation revealed how PureCoder, the developer behind this malware suite, leverages legitimate platforms to distribute malicious tools while evading detection.
During an eight-day incident response engagement, Check Point researchers traced a complex attack chain that began with a ClickFix phishing technique.
Victims were lured through fake job advertisements to malicious websites that automatically copied PowerShell commands to their clipboard. When executed, these commands downloaded JavaScript files that established persistence and deployed PureHVNC RAT with campaign identifiers “2a” and “amazon3.”
The investigation revealed that PureHVNC RAT’s command and control server delivered three GitHub URLs to infected systems, downloading files that support various RAT commands.
These repositories were directly attributed to PureCoder, the developer of the Pure malware family, providing unprecedented insight into the threat actor’s operational infrastructure.
Technical analysis of the Rust loader component revealed sophisticated anti-analysis techniques targeting security products from Bitdefender, ESET, Kaspersky, and other vendors.
The malware employs ChaCha20-Poly1305 encryption for string decryption and implements AMSI bypass by hooking the LdrLoadDll function in ntdll.dll to prevent Windows Anti-malware Scan Interface from loading.
Comprehensive Malware Suite Targets Multiple Attack Vectors
The Pure malware family encompasses multiple tools designed for maximum operational flexibility. PureCrypter serves as a malware obfuscator, while PureLogs functions as a credential stealer.
PureHVNC RAT provides Hidden Virtual Network Computing capabilities, allowing attackers to control infected machines without user visibility. Additional tools include PureMiner for cryptocurrency mining and Blue Loader for botnet operations.
PureHVNC RAT collects extensive system information, including installed antivirus products, cryptocurrency wallet software, browser extensions, and messaging clients.
The malware generates unique bot identifiers using MD5 hashes of system characteristics, including processor ID, drive serial numbers, and memory serial numbers. Configuration data is stored using Protocol Buffers serialization with Gzip compression and Base64 encoding.
The GitHub repositories discovered during the investigation contained files supporting TwitchBot and YouTubeBot plugins, enabling automated social media manipulation, including following accounts, liking videos, and clicking advertisements.
Check Point researchers expect PureCoder to change hosting platforms to maintain operational security frequently.
Analysis of associated GitHub accounts revealed a UTC+0300 timezone setting, corresponding to regions including Russia.
This geographic intelligence, combined with the discovery of PureRAT builder tools and PureCrypter enumerations, provides law enforcement and cybersecurity professionals with actionable intelligence for tracking future campaigns leveraging Pure malware tools.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Developers of PureHVNC RAT Leverage GitHub to Host Source Code for the Pure Malware Family appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.