On February 27, 2023, a “The Sandbox” employee was compromised, resulting in sending malspam which introduced them to “PureLand”. It leads to a RedLine Stealer and an unknown stealer for macOS.
Let’s take a closer look at this “PureLand”…
A Medium article version can be read here:
Details of “PureLand”
The OpenSea collection has several sales, which was a wash trading to mislead people
To notify the malicious actors that an access code was entered, a POST request is sent to https://thepureland[.]io/js/send[.]PHP with the following details:
- ip
- country_name
- worker
- file
- deviceInfo
- browser
- version
- platform
The files
There are three Dropbox links that give you:
an executable (.exe)
an archive (.rar)
and an installer package for macOS (.pkg) [worth mentioning that this was not added before March 1, 2023; based on public scans via URLscan]
-2/2/2023- (based on a URLscan result)
https://www.dropbox[.]com/s/mm19o7njoz6hnof/Pure%20Land%20Launcher%20v1.2.exe?dl=1
https://www.dropbox[.]com/s/uoo1asrasxisvcl/Pure%20Land%20Metaverse%20Alpha.rar?dl=1
-2/21/2023- (based on a URLscan result)
Same exe since 2/2/2023
https://www.dropbox[.]com/s/lykqsmwaa1fiyyq/Pure%20Land%20Metaverse%20Alpha.rar?dl=1
-3/1/2023- (based on a URLscan result)
Same exe since 2/2/2023
https://www.dropbox[.]com/s/o72q3itfi18zway/Pure%20Land%20Metaverse%20Alpha.rar?dl=1
https://www.dropbox[.]com/s/3yivn8j36ramnvg/Pure%20Land%20Launcher.pkg?dl=1
-3/3/2023-
Same exe since 2/2/2023
Same rar since 3/1/2023
https://www.dropbox[.]com/s/tmfj1iemicvu6t0/PureLand%20Launcher.pkg?dl=1
-3/4/2023-
https://www.dropbox[.]com/s/6k2o43warkry407/Pure%20Land%20Launcher%20v1.2.exe?dl=1
https://www.dropbox[.]com/s/jyzj2wqlbnbozy3/PureLand%20Metaverse.rar?dl=1
https://www.dropbox[.]com/s/1qo9cozv8srnx2x/PureLand%20Launcher.pkg?dl=1
-3/5/2023-
https://www.dropbox[.]com/s/gjr4w5x6g9m02r1/Pure%20Land%20Launcher%20v1[.]2[.]exe?dl=1
https://www.dropbox[.]com/s/37vvqyjx6qi43ex/PureLand%20Launcher[.]pkg?dl=1
-3/6/2023-
Same exe since 3/5/2023
https://www.dropbox[.]com/s/er04c2iqhnhdgq8/Pure%20Land%20Metaverse%20Alpha[.]rar?dl=1
Same pkg since 3/5/2023
-3/7/2023-
Same exe since 3/5/2023
Same rar since 3/6/2023
Same pkg since 3/5/2023
.exe
Pure Land Launcher v1.2.exe is packed using NSIS (Nullsoft Scriptable Install System).
Running the executable file displays the following window
It is a dropper; once the “JOIN GAME” button is clicked, it invokes checkUpdate()
Once pureland.7z is downloaded, it uses 7zr.exe and the password “pureland” to extract and get another executable file called pureland.exe.
The final executable file is pumped, 688.145872 MB, and packed using Smart Assembly. It is a RedLine Stealer malware that connects to a C&C: 162.55.188[.]117:48958 with a botnet ID: 5pur
-3/7/2023 change-
The paste was edited on March 7, 2023, 09:02:48 AM CDT. It now points to
The extracted pumped executable file is the same as the commit f973a65a46e8cb0f7b491d5aca81f459eb5b7a12 on the GitHub repo. It is still a RedLine Stealer with the same configuration as above
.rar
Pure Land Metaverse Alpha.rar can be extracted using the password “pureland2023”. It contains a folder that has several files to deceive the user into thinking that it contains the game files. And also, an executable file: Pure Land Launcher v1.4.exe
The same pumped file was used on the dropper. And yes, it is still RedLine Stealer with the same configuration.
For the 3/7/2023 rar download link, the extracted pumped executable file is the same with the latest change on the paste as well.
.pkg
This one surprised me; I was not expecting to encounter malware designed for macOS.
PureLand Launcher.pkg is a straightforward unknown stealer. The Mach-O binary’s name is “Installer”.
After installing and running the application, it asked for a password to access the “Chrome Safe Storage”. That alone should be a red flag for the user when trying to run it.
Based on the network requests, it sends a POST request to the following:
http://193.168.141[.]107:8888/serialinfo
http://193.168.141[.]107:8888/
http://193.168.141[.]107:8888/lastroute
http://193.168.141[.]107:8888/serialinfo is for the exfiltration of the user’s hardware details. The header has “Expect: 100-continue” to determine whether to send the request body or not. The response is an MD5 hash of the text file name.
http://193.168.141[.]107:8888/ is used to send other files that contain the target data. The hexid is now replaced with the MD5 hash which was a response from the /serialinfo request.
For some reason, this part where it exfiltrates the Chrome password doesn’t have the ‘Expect’ header
Then afterward, it has the ‘Expect’ header again
After all of the available target data is exfiltrated, http://193.168.141[.]107:8888/lastroute is used to send the stealer’s configuration, the MD5 hash (which was returned earlier by /serialinfo), and the username of the device. And for some reason again, it doesn’t have the ‘Expect’ header.
The notable details in the traffic are the following:
With no attribution to already named info stealers out there, I noticed something which got me wondering
/.dkdbsqtl/vakkdsr
Perhaps, we can name this as Vakksdr Stealer…
As I’ve already uploaded the sample to MalwareBazaar, Daniel Stinson (shellcromancer) took a look at the sample and created a YARA rule. It is interesting to see that:
“/.dkdbsqtl/vakkdsr” is an Electrum path of the malware author
The code used to steal Zoom and document files is unused
The PureLand GitHub repository
Since the dropper earlier retrieves the final payload in a GitHub repository, I decided to check it as well.
The “PURELANDMETAVERSE” GitHub account has only one repository, which is named “PureLand”.
Based on the commits, the first was on Jan 26, 2023, 12:03 PM EST
The past commits have the same C&C for the RedLine Stealer with different botnet IDs, except for a few…
Notable commits
b1b9450984be000006f0970c9fe4bf8d439d1dc7 on Jan 26, 2023, 12:06 PM EST
3852dfa400842b440e5700436f2a3eb25dfbee8e on Jan 26, 2023, 3:24 PM EST
Both:
have the same file name and type, which is pureland.7z
can be accessed using the password “pureland”
contains the same pumped executable
the same RedLine Stealer configuration (C&C: 167.235.233[.]35:16621 | botnet ID: 5hr)
A victim’s experience
One user who goes by the handle “Pineconebob” fell to this scheme on February 20, 2023.
Satomi promised rewards such as “an NFT worth 0.5 ETH, a token, and special roles in the Discord server” in exchange for testing the game.
Based on the access code list that was given earlier, the worker behind this is “Aizik (сучка) ✨”. Pineconebob was given an archive (rar) file; hence the password “pureland2023” was mentioned.
After Pineconebob ran the file, the Twitter account was immediately taken along with the ~3.95326666906377 ETH (~$6,127.05) worth of assets.
It was then laundered on an exchange after a few days. The wallet responsible for laundering has been doing this since January 25, 2023, with another exchange.
IOCs
d1f207efb0f7c011938994d47e8c4b40bc38a112f002281ff08510a6d35d3f59 | Pure Land Launcher v1.2.exe | dropper
30e7e8b04fbdd2e6a0abb502d6308c67fc0c42549f05e89198bd2ac0c719334b | pureland.7z |
6cc3f1d076d8c44fb55dfa11c94936fba23153c72402d0ff83733258e7c425c2 | pureland.7z |
de57a7a49d78ccab0c875e193e5e4949a87e394bda3bb1fe950c724ef78f6f73 | pureland.exe / Pure Land Launcher v1.4.exe |
b9fc13ce9933a6b09f4d458d876b1dffc29d9f07a6d3c986d29c772207043c05 | pureland.exe / Pure Land Launcher v1.4.exe | depumped
48680a6a919a53dfb5eb47a798a9d8135601179630e6308023f30e1f9b13301d | pureland.exe / Pure Land Launcher v1.4.exe | 3-7-2023
08ed972fb6d88ef000b2825e2818810b282507ec90dcc406fa5999f507a71fc8 | pureland.exe / Pure Land Launcher v1.4.exe | depumped 3-7-2023
b933051320a7749c3ca109ecdf4a93e3376e2ba916e0ec9fc9b99e5ce9762669 | Pure Land Metaverse Alpha.rar |
54e7f557a38a4e034e32b36f1311fe0288fa2ad2e1b2434af23a5e0ec4f86e7f | Pure Land Metaverse Alpha.rar | 3-7-2023
92df7deea6b7d758f0c0a60a87c68de90e40fa07b3e261bebe7a5a48541656e5 | PureLand Metaverse.rar |
f2a55c47f500efa4bb1b41487cf512c38b0f7438ed955656cceb51a2c11c2d6a | pureland.7z | has the Herobots logo | commit b1b9450984be000006f0970c9fe4bf8d439d1dc7
28fd5ed9fb22c273cecc6c79f009d8ecf2358dfc472cde89f8d169b3e1c55a93 | pureland.7z | has the Herobots logo | commit 3852dfa400842b440e5700436f2a3eb25dfbee8e
7ce78fb87ca8d2691f753907b64147f0de94b236b0e0fbaccf40f2ecbe15cb23 | pureland.exe | has the Herobots logo
f4ae47d0f97a500401a1e5a068dbab57dfbd9cdf0ffebae6e730e5cc3226fc2e | pureland.exe | has the Herobots logo - depumped
845ef90acc34abfce89e3e630265f23c03581918d30256c9e3c3d65250464933 | PureLand Launcher.pkg |
82633f6fec78560d657f6eda76d11a57c5747030847b3bc14766cec7d33d42be | Installer - MachO |
24ace87331051d7d2d83bb9a89781847f47b4c00789c19b5385fce94705c3c40 | X86_64-3 MachO |
0b9a3b00302faf3297b60fff0714f2db87245a613dcd9849645bffa7c4a3df9b | ARM64 MachO |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
thepureland[.]io | PureLand's domain |
162.55.188[.]117:48958 | C&C of the RedLine Stealer |
167.235.233[.]5:16621 | C&C of the RedLine Stealer |
http://193.168.141[.]107:8888/ | C&C of the unknown stealer for macOS |
http://193.168.141[.]107:8888/serialinfo | C&C of the unknown stealer for macOS |
http://193.168.141[.]107:8888/lastroute | C&C of the unknown stealer for macOS |
https://pastebin[.]com/raw/kVdwKAw1 | Used by the dropper |
https://github[.]com/PURELANDMETAVERSE/PureLand/raw/main/pureland.7z | Used by the dropper |
https://www[.]dropbox[.]com/s/o4qz90bszeogxx0/pureland[.]7z?dl=1 | Used by the dropper |
https://www.dropbox[.]com/s/mm19o7njoz6hnof/Pure%20Land%20Launcher%20v1.2.exe?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/uoo1asrasxisvcl/Pure%20Land%20Metaverse%20Alpha.rar?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/lykqsmwaa1fiyyq/Pure%20Land%20Metaverse%20Alpha.rar?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/o72q3itfi18zway/Pure%20Land%20Metaverse%20Alpha.rar?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/3yivn8j36ramnvg/Pure%20Land%20Launcher.pkg?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/tmfj1iemicvu6t0/PureLand%20Launcher.pkg?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/6k2o43warkry407/Pure%20Land%20Launcher%20v1.2.exe?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/jyzj2wqlbnbozy3/PureLand%20Metaverse.rar?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/1qo9cozv8srnx2x/PureLand%20Launcher.pkg?dl=1 | Used on PureLand's domain |
https://www[.]dropbox[.]com/s/gjr4w5x6g9m02r1/Pure%20Land%20Launcher%20v1[.]2[.]exe?dl=1 | Used on PureLand's domain |
https://www[.]dropbox[.]com/s/37vvqyjx6qi43ex/PureLand%20Launcher[.]pkg?dl=1 | Used on PureLand's domain |
https://www[.]dropbox[.]com/s/er04c2iqhnhdgq8/Pure%20Land%20Metaverse%20Alpha[.]rar?dl=1 | Used on PureLand's domain |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
0xf306b067d9134564834b462155a5aafeb92e31db | related to Pineconebob's stolen assets
0x865ad78e7ef4193620946e0f23f2d63e3de80c22 | related to Pineconebob's stolen assets
0xb06cfd307e722aef7f6b7fff2e55d84f83631e34 | related to Pineconebob's stolen assets
0xc545efe5ef145ccddfba81a7accacf163e405aa4 | related to Pineconebob's stolen assets
0x9ce0daa2e8ef74c229f93362557ff2b922f45104 | related to Pineconebob's stolen assets
Similar to the findings, the fake project has several alt accounts to show support and lure other users
Tweets from alt accounts that support the fake project, while the other two are reports from users who were approached by the workers
Also, the real game is called Rune Teller (). As confirmed by these two users.
Left: | Right:
Pure Land’s OpenSea collection page and sales activity
Graph of the on-chain activities of the wallets related to the OpenSea wash trading and PULA ERC20 token
The landing page of the website
A form asking for the access code
Detect It Easy results for Pure Land Launcher v1.2.exe
checkUpdate() at index.js of the Electron application
“check-update” invoked by checkUpdate() and other functions at index.js of the Electron application
pureland.7z and the content: pureland.exe
Detect It Easy results of pureland.exe
Detect It Easy results of pureland.exe — 3/7/2023
Contents of Pure Land Metaverse Alpha.rar | taken before 3/7/2023
Detect It Easy results of pureland.exe | taken before 3/7/2023
Detect It Easy results for the Installer Mach-O binary
Prompt asking for the user’s password to access the “Chrome Safe Storage”. Ran using tria.ge:
HTTP connections to 193.168.141[.]107:8888
Request details to http://193.168.141[.]107:8888/serialinfo
Request details to http://193.168.141[.]107:8888/ | without the ‘Expect’ header
Request details to http://193.168.141[.]107:8888/ | with the ‘Expect’ header
Request details to http://193.168.141[.]107:8888/lastroute
ChatGPT’s response to what is papka. “The word “papka” is a common noun in several Slavic languages, including Russian, Ukrainian, and Belarusian. In Russian, “papka” (папка) means a folder, binder or portfolio used to store documents or papers.”
Detect It Easy strings results for the “Installer” MachO
History of commits for the PureLand repository
Detect It Easy results for the pureland.exe | commit 3852dfa400842b440e5700436f2a3eb25dfbee8e
and lastly, both have the icon that says “HEROBOTS OMENS OF HERO”. It is a copycat of a legitimate game called . A similar malware campaign where I shared the samples here:
Detect It Easy results for the pureland.exe | commit b1b9450984be000006f0970c9fe4bf8d439d1dc7 | with the Herobots icon
Pineconebob was approached by “Satomi See” () on Twitter via DM on the original account “bob461” (compromised and changed to “unknown22572294” — ).
The Twitter activity of “Satomi See” ()
Messages of “Satomi See” ()
Graph of the on-chain activities related to Pineconebob’s stolen assets
Samples related to “PureLand” can be retrieved here:
