“The actor is running a Windows scheduled task on victim machines–including on endpoints with a low battery–to achieve persistence,” said Talos researchers.
Additionally, the attacker disconnects the victim’s machine from the network just before delivering the malware, resuming it after the drop is done. This is done to avoid detection by cloud-based antivirus programs. On top of this, the PureCrypter malware itself performs various anti-debugger, anti-analysis, anti-VM, and anti-malware checks on the victim machine, researchers added.
It is important to note that the researchers also found email samples written in English, indicating the campaign’s potential to be used outside of these geographies.
