Surge in Phishing Attacks Targeting Russian Businesses: Unpacking the PureRAT Malware
May 21, 2025
By Ravie Lakshmanan
Tags: Malware, Windows Security
The Emergence of PureRAT Malware
Recent studies by Kaspersky reveal a significant uptick in phishing attacks directed at Russian organizations, with a particular focus on the PureRAT malware. Since its initial appearance in March 2023, the frequency of these attacks has skyrocketed, experiencing a fourfold increase in early 2025 compared to the previous year. This alarming trend underscores the necessity of robust cybersecurity measures for businesses in the region.
How the Attack Chains Work
The mechanics behind these attacks are particularly deceptive. They typically begin with a phishing email that either contains a RAR archive as an attachment or provides a link to download it. These files are cleverly disguised to appear as Microsoft Word or PDF documents. The filenames often utilize double extensions, such as "doc054[redacted].pdf.rar," to mask their true nature.
Upon opening the archive, users unwittingly launch an executable file that copies itself to the "%AppData%" directory of the infiltrated Windows system, naming itself "task.exe." Simultaneously, it creates a Visual Basic Script labeled "Task.vbs" in the system’s Startup VBS folder, ensuring its persistence upon system restart.
Executing PureRAT: Unpacking the Malware
Once the initial executable is run, it extracts another executable named "ckcfb.exe." This file then invokes the utility "InstallUtil.exe," which engages in decrypting a module that leads to the core of PureRAT malware. Specifically, "ckcfb.exe" decodes and extracts a DLL file dubbed "Spydgozoi.dll," which houses the main payload of the malware.
PureRAT establishes secure SSL connections with its command-and-control (C2) server and begins sending critical system information back to the attackers. This data includes details such as the installed antivirus products, computer name, and the system’s uptime. In return, the C2 server sends additional modules that facilitate various malicious operations.
Key Functionalities of PureRAT
The functionalities of PureRAT are extensive and alarming. Here are some notable modules it employs:
-
PluginPcOption: This module grants attackers the ability to execute commands for self-deletion, restart the malicious executable, or even shut down or reboot the infected computer.
-
PluginWindowNotify: This component monitors active windows for keywords related to sensitive actions, such as password inputs or banking details. Consequently, it can initiate unauthorized transactions based on what it identifies.
- PluginClipper: This module operates like typical clipper malware by altering cryptocurrency wallet addresses copied into the clipboard, replacing them with addresses controlled by the attackers.
Kaspersky’s analysis indicates that the PureRAT Trojan includes capabilities for downloading and executing arbitrary files, thus granting cybercriminals comprehensive access to the compromised computer’s file system, registry, processes, and even the camera and microphone.
The Role of StilKrip in the Attack Chain
Additionally, the executable responsible for launching "ckcfb.exe" also extracts another binary known as "StilKrip.exe." This downloader, which has been in use since 2022, plays a crucial role in delivering various payloads. It is specifically designed to fetch "Bghwwhmlr.wav," which continues the attack cycle by launching "InstallUtil.exe" to ultimately execute another program, "Ttcxxewxtly.exe."
This new executable, in turn, unpacks and runs a DLL payload named PureLogs ("Bftvbho.dll"). PureLogs functions as a data stealer, adept at harvesting information from a wide array of applications. This includes web browsers, email clients, VPN services, messaging applications, wallet extensions, password managers, and other programs such as FileZilla and WinSCP.
The Severity of the Threat
The capabilities of both the PureRAT backdoor and the PureLogs stealer are extensive, presenting a serious threat to the security of infected systems and sensitive organizational data. Kaspersky highlights that the primary method of attacks against businesses continues to be emails containing malicious attachments or links. Businesses must remain vigilant, enhancing their cybersecurity protocols to combat these persistent threats effectively.
For ongoing updates and expert insights related to cybersecurity, be sure to follow us on our social media channels.
