PureRAT spread in suspected Vietnamese hacking campaign

Suspected Vietnamese hackers have deployed the PureRAT trojan as part of a phishing campaign that initially involved a basic Python-based information-stealing payload, reports Infosecurity Magazine.

Malicious emails purporting to be copyright notices have been leveraged to spread a ZIP archive with a nefarious DLL and a PDF reader executable that facilitated a 10-stage attack chain, findings from Huntress researchers revealed.

After tapping Python scripts during the first two stages, attackers proceeded with compiled .NET executables afterwards, with process hollowing and Windows defense exploitation conducted until the eventual delivery of PureRAT, which provides encrypted command-and-control channels and host fingerprinting capabilities.

Such an attack has been linked to Vietnamese hackers due to the presence of @LoneNone-associated metadata used in the PXA Stealer malware, as well as the Vietnamese origins of PureRAT's C2 server.

"This campaign underscores the importance of defense-in-depth. The initial access relied on user execution, the loaders exploited trusted and system binaries, and the final stage used defense evasion to remain hidden," said Huntress, which called on organizations to examine the intrusion's lifecycle to bolster their security posture.