Full Report
Russian organizations have become the target of a phishing campaign that distributes malware called PureRAT, according to new findings from Kaspersky. "The campaign aimed at Russian business began back in March 2023, but in the first third of 2025 the number of attacks quadrupled compared to the same period in 2024," the cybersecurity vendor said. The attack chains, which have not been
Analysis Summary
# Incident Report: PureRAT Malware Campaign Targeting Russian Organizations
## Executive Summary
A significant surge (4x increase in Q1 2025 vs Q1 2024) in phishing attacks targeting Russian organizations has been observed, distributing the PureRAT malware. The attack chain involves weaponized document attachments leading to multi-stage malware deployment, including PureRAT for remote control and the PureCrypter downloader, culminating in the deployment of the PureLogs information stealer. The primary impact includes widespread system compromise, potential theft of sensitive data, and execution of financial fraud via clipboard manipulation.
## Incident Details
- Discovery Date: Early 2025 (Observation of 4x spike in Q1 2025 compared to Q1 2024)
- Incident Date: Campaign active since March 2023, peaking in early 2025
- Affected Organization: Multiple Russian organizations (unspecified)
- Sector: Unspecified (Focus on Russian business)
- Geography: Russia
## Timeline of Events
### Initial Access
- **Date/Time:** Beginning March 2023, escalating in early 2025.
- **Vector:** Phishing email containing a RAR file attachment or a link to one.
- **Details:** The archive masquerades as a Microsoft Word or PDF document using double extensions (e.g., "doc\_054\_\[redacted\].pdf.rar").
### Lateral Movement
- **Vector:** Execution of the initially dropped executable leads to system persistence, module unpacking, and injection into legitimate system utilities (`InstallUtil.exe`).
- **Details:** The initial `task.exe` copies itself to `%AppData%` and creates a startup VBScript (`Task.vbs`). Subsequent stages involve unpacking secondary binaries (`ckcfb.exe`, `StilKrip.exe`) and injecting payloads (`Spydgozoi.dll`) into process memory.
### Data Exfiltration/Impact
- **Impact:** Full system control via PureRAT, including access to file system, registry, processes, camera, and microphone. Specific threat includes data harvesting via the PureLogs information stealer (from browsers, email clients, VPNs) and real-time financial fraud via clipboard hijacking (PluginClipper).
- **Exfiltration:** System information (AV status, computer name, uptime) sent to C2; PureLogs gathers sensitive data for later exfiltration.
### Detection & Response
- **Detection:** Findings reported by Kaspersky (based on analysis of attack chains).
- **Response actions taken:** Not detailed in the source text, although the investigation and reporting by Kaspersky constitute the primary external analytical response.
## Attack Methodology
- **Initial Access:** Phishing (RAR attachment disguised as a document).
- **Persistence:** Creation of an executable (`task.exe` in `%AppData%`) and a startup VBScript (`Task.vbs`).
- **Privilege Escalation:** Not explicitly detailed, but may be implied through the use of system processes and DLL injection.
- **Defense Evasion:** Use of legitimate system utilities (`InstallUtil.exe`) for process injection and decryption of internal modules.
- **Credential Access:** Implied via PureLogs' ability to harvest data from email clients and VPN services.
- **Discovery:** PureRAT transmits system information, including installed AV products.
- **Lateral Movement:** Utilizing secondary downloader (`PureCrypter`/`StilKrip.exe`) to ensure full payload delivery.
- **Collection:** PureLogs module collects browser history, email contents, and VPN/messaging data.
- **Exfiltration:** PureRAT establishes SSL connections to C2 to send initial system data; PureLogs is designed to exfiltrate collected data.
- **Impact:** Remote Desktop control, keystroke logging, unauthorized fund transfers via clipboard manipulation (clipper malware).
## Impact Assessment
- **Financial:** Direct threat via PluginClipper module allowing for unauthorized cryptocurrency wallet substitution during transactions.
- **Data Breach:** High risk of intellectual property and sensitive user data theft via PureLogs harvesting credentials and configuration files from common applications.
- **Operational:** System instability due to process injection and potential unexpected shutdowns/restarts via PluginPcOption.
- **Reputational:** Damage to trust for targeted Russian businesses due to data loss and financial compromise.
## Indicators of Compromise
* **Network Indicators (Defanged):** SSL connections observed between compromised hosts and C2 infrastructure.
* **File Indicators:**
* Initial Dropper: `task.exe` (in %AppData%)
* Startup Persistence: `Task.vbs` (in Startup VBS folder)
* Core Payload 1: `ckcfb.exe`
* Core Payload 2 (Downloader): `StilKrip.exe`
* Primary Payload DLL: `Spydgozoi.dll` (incorporates PureRAT)
* Secondary Payload DLL: `Bftvbho.dll` (incorporates PureLogs)
* **Behavioral Indicators:** Process injection into `InstallUtil.exe`; Monitoring clipboard contents for cryptocurrency addresses; Keylogging activity.
## Response Actions
- **Containment measures:** Isolation of affected endpoints once PureRAT activity (SSL communication to C2) is identified.
- **Eradication steps:** Complete removal of all dropped executables (`task.exe`, `ckcfb.exe`, `StilKrip.exe`, `Ttcxxewxtly.exe`) and associated VBS/DLL modules from the system and Startup folders.
- **Recovery actions:** Rebuilding systems, resetting credentials harvested by PureLogs, and reverting configuration changes made by the malware modules.
## Lessons Learned
- **Key takeaways:** The effectiveness of using socially engineered archive files with double extensions remains a potent initial access vector, even in mature environments. The multi-stage deployment involving known components like PureCrypter indicates reliance on modular, off-the-shelf malware kits.
- **What could have been done better:** Organizations need enhanced controls to detect process injection and monitoring of legitimate system utilities like `InstallUtil.exe` being hijacked. Improved network segmentation could stop lateral movement facilitated by the PureCrypter downloader stage.
## Recommendations
- **Prevention measures for similar incidents:**
1. **Email Security:** Implement strict filtering policies to block `.rar` attachments, especially those disguised with double extensions.
2. **Endpoint Detection and Response (EDR):** Tune EDR solutions to detect, flag, and block process injection attacks targeting native Windows utilities (e.g., `InstallUtil.exe`).
3. **Clipboard Monitoring:** Deploy specialized controls to monitor and alert on bulk copy/paste operations or specific substitution patterns associated with financial data manipulation (clipboard hijacking).
4. **User Training:** Conduct targeted social engineering awareness training focusing on file extensions and archive inspection.
5. **Application Control:** Restrict execution paths for unknown executables, particularly those dropped into user profile directories like `%AppData%`.