Security Experts:

Connect with us

Hi, what are you looking for?



New PureLocker Ransomware Linked to MaaS Provider for Cobalt Gang, FIN6

A newly discovered piece of ransomware written in PureBasic has been linked to a Malware-as-a-Service (MaaS) provider that has been used by Cobalt Gang, FIN6, and other threat groups.

A newly discovered piece of ransomware written in PureBasic has been linked to a Malware-as-a-Service (MaaS) provider that has been used by Cobalt Gang, FIN6, and other threat groups.

Dubbed PureLocker, the malware comes with evasion methods and features that have allowed it to remain undetected for months. The use of PureBasic, a rather uncommon programming language, also makes porting between Windows, Linux, and macOS easy. 

The analyzed Windows sample was masquerading as the C++ cryptography library called Crypto++, and managed to remain undetected by VirusTotal antivirus engines for several weeks. The file would not exhibit malicious or suspicious behavior when executed in a sandbox, Intezer reveals

Digging deeper, security researchers discovered that the file was not related to Crypto++, but that it did include code copied from multiple malware families, mainly from the Cobalt Gang. Most of the malicious code, however, was found to be unique. 

The threat is executed as a COM server DLL by regsrv32.exe, with its code residing in the DllRegisterServer export. The code includes various other exports as well, but they are meant for deception and have no functionality.

At first, the malware checks if it is executed as intended or if it is being analyzed or debugged, and exits immediately if a check fails. The threat doesn’t delete itself in such an instance, but does it after a successful execution. 

Intezer’s security researchers believe the malware is part of a targeted and multi-stage attack, given that it checks whether the “/s /i” arguments are used at execution, to ensure no dialogues are displayed to the user. 

It also checks whether it is executed by regsrv32.exe and for its file extension to be either “.dll” or “.ocx,” in addition to verifying the current year on the machine is 2019 and whether it has admin privileges or not. 

“This type of behavior is not common in ransomware, which typically prefer to infect as many victims as possible in the hopes of gaining as much profit as possible. Additionally, being a DLL file designed to be executed in a very specific manner reveals this ransomware is a later-stage component of a multi-stage attack,” the researchers note. 

PureLocker manually loads another copy of “ntdll.dll” and resolves API addresses manually from there, an anti-hooking technique that allows it to evade user-mode hooking of ntdll functions. The ransomware also uses the resolve-by-hash method to obtain the function addresses.

Low-level Windows API functions in ntdll.dll are employed for most functionality, with some exceptions. The Windows Crypto API functions are not used, but the compiled-in purebasic crypto library is leveraged instead for encryption.

The threat uses the standard AES+RSA combination for file encryption, with a hard-coded RSA key, and adds the “.CR1” extension to affected files. After encryption, the original files are securely deleted to prevent recovery. 

A ransom note dubbed YOUR_FILES.txt is then dropped onto the desktop, instructing victims to contact the attackers via email for payment type and ransom amount. The attackers use a different Proton email address for each attack, which allows them to track victims and decryption keys. 

The CR1 string appears not only in the encrypted file extension, but also in the ransom note and attacker email addresses, suggesting this is the identifier of the group operating the samples. 

The investigation also revealed a connection with the loader part of the “more_eggs” JScript backdoor, also known as “SpicyOmelette,” which is associated with a MaaS provider on underground forums that threat groups such as the Cobalt Gang and FIN6 have bought malware kits from. 

PureLocker and the more_eggs loader were likely designed by the same author, given that they both have COM Server DLL components written in PureBasic, employ the same evasion and anti-analysis methods, use identical string encoding and decoding methods, and their pre-payload stage are nearly the same. 

“While we have a good sense regarding the malware’s origin, it’s unclear at this time whether the “CR1” group that’s using this ransomware for targeted attacks is a previous customer of the MaaS provider, such as Cobalt Gang and FIN6, or a new one,” the security researchers note.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...