Pure Crypter: Advanced Malware Loader Bypassing Windows 11 24H2 Defenses

In the ever-evolving landscape of cybersecurity threats, Pure Crypter has emerged as a formidable malware-as-a-service (MaaS) loader, adept at circumventing the latest security enhancements in Windows 11 24H2. This sophisticated tool has become a linchpin for threat actors deploying information stealers like Lumma and Rhadamanthys, particularly through the ClickFix initial access vector.

The Evolution of Process Hollowing and Microsoft's Countermeasures​

Process Hollowing, a technique where a malicious program injects code into a legitimate process, has long been a favored method for malware deployment. Recognizing its prevalence, Microsoft introduced measures in Windows 11 24H2 to disrupt this tactic. Specifically, the integration of the RtlpInsertOrRemoveScpCfgFunctionTable function in the Windows loader aimed to prevent such injections by interacting with the ZwQueryVirtualMemory function, which rigorously inspects memory regions. This enhancement was designed to trigger errors like 0xC0000141 when unauthorized memory modifications were detected, effectively thwarting many known malware techniques. (windowsforum.com)

Pure Crypter's Adaptive Evasion Techniques​

Undeterred by these security fortifications, Pure Crypter's developers engineered a method to bypass the new protections. By patching the NtManageHotPatch API in memory, they restored the ability to perform Process Hollowing on systems running Windows 11 24H2. This bypass, detailed by security researcher Hasherezade, underscores the cat-and-mouse dynamic between malware developers and security professionals. (esentire.com)
Beyond this specific bypass, Pure Crypter boasts a suite of evasion and persistence mechanisms:

• AMSI Bypass: By patching the AmsiScanBuffer and EtwEventWrite APIs in memory, Pure Crypter disables the Antimalware Scan Interface, allowing malicious code to execute without triggering security alerts. (esentire.com)
• DLL Unhooking: The loader replaces potentially hooked versions of kernel32.dll and ntdll.dll with clean copies, effectively neutralizing monitoring by antivirus (AV) and endpoint detection and response (EDR) solutions. (esentire.com)
• Anti-VM and Anti-Debugging Checks: Utilizing APIs like CheckRemoteDebuggerPresent and WMI queries, Pure Crypter detects virtualized environments and debugging tools, terminating execution to evade analysis. (esentire.com)
• Network Disruption: By executing ipconfig.exe to disable internet connectivity, the malware hinders communication between infected systems and security infrastructure, complicating detection and remediation efforts. (esentire.com)
• Execution Delays: Implementing delays via SleepEx can thwart automated analysis tools that rely on rapid execution patterns to identify malicious behavior. (esentire.com)
• Persistence Mechanisms: Pure Crypter ensures its longevity on compromised systems through various methods, including modifying Run keys, creating scheduled tasks, or placing VBScript files in startup folders. (esentire.com)

Versatile Payload Execution Methods​

The loader's flexibility extends to multiple payload execution techniques:

• Reflection for .NET Files: This method allows the execution of .NET assemblies directly from memory, reducing the likelihood of detection by file-based security measures. (esentire.com)
• Shellcode Injection: By allocating memory and creating threads via VirtualAlloc and CreateThread, Pure Crypter can inject and execute shellcode, facilitating the deployment of various payloads. (esentire.com)
• Parent Process Spoofing: Techniques involving OpenProcess and UpdateProcThreadAttribute enable the malware to masquerade its execution under legitimate processes, further evading detection. (esentire.com)

Deceptive Marketing and Distribution Strategies​

Pure Crypter's reach is amplified by its strategic distribution and marketing:

• Sales Platforms: Marketed by the vendor 'PureCoder' on forums like Hackforums[.]net, the loader is available through tiered subscriptions, ranging from $159 for three months to $799 for lifetime access. (esentire.com)
• Automated Distribution: An automated Telegram bot, @ThePureBot, facilitates the distribution of Pure Crypter alongside related tools such as Pure Miner, Pure RAT, and Pure Logs Stealer. (esentire.com)
• Misleading Detection Claims: The vendor showcases zero-detection results from avcheck[.]net, a platform that doesn't share samples with AV/EDR vendors. However, independent testing on VirusTotal reveals that newly generated stubs are detected by at least 20 security solutions, highlighting a significant discrepancy and suggesting deceptive marketing practices. (esentire.com)
• Operational Security Measures: To navigate forum restrictions on malicious software sales, Pure Crypter employs a Terms of Service agreement, presenting itself as legitimate software. Additionally, a user-friendly GUI with quotas on packing operations lowers the technical barrier for potential users. (esentire.com)

Countermeasures and Mitigation Strategies​

In response to the threat posed by Pure Crypter, security researchers have developed tools like PureCrypterPunisher. This utility automates the unpacking process, extracts configurations, and decrypts embedded strings, empowering analysts to dissect and understand the malware's behavior more effectively. (esentire.com)
To bolster defenses against such sophisticated loaders, organizations should consider the following measures:

• Disable Unnecessary Script Execution: Implement policies to disable wscript.exe via AppLocker or Windows Defender Application Control (WDAC) to prevent the execution of potentially malicious scripts. (esentire.com)
• Redirect Risky File Extensions: Configure Group Policy Objects (GPOs) to redirect the default "Open With" action for file extensions like .js, .vbs, and .hta to benign programs such as notepad.exe, mitigating the risk of script-based attacks. (esentire.com)
• Employee Training: Conduct regular phishing and security awareness training to educate staff about the dangers of executing unverified software and the tactics employed by threat actors. (esentire.com)
• Deploy Advanced Security Solutions: Utilize Next-Generation Antivirus (NGAV) or Endpoint Detection and Response (EDR) solutions capable of detecting and containing advanced threats through behavioral analysis and heuristic detection. (esentire.com)

The emergence and evolution of Pure Crypter underscore the persistent ingenuity of cybercriminals and the necessity for continuous vigilance and adaptation in cybersecurity practices. By understanding the mechanisms and strategies employed by such malware, organizations can better fortify their defenses against the ever-changing threat landscape.

---

Source: GBHackers News Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features