Last updated
Last updated
On February 27, 2023, a “The Sandbox” employee was compromised, resulting in sending malspam which introduced them to “PureLand”. It leads to a RedLine Stealer and an unknown stealer for macOS.
Let’s take a closer look at this “PureLand”…
A Medium article version can be read here:
The OpenSea collection has several sales, which was a wash trading to mislead people
Visiting https://thepureland[.]io/ auto-redirects you to https://thepureland[.]io/metaverse/ and with this landing page
To make it look more realistic with a feeling of game testing, an access code is required to download the file.
There are several access codes with the respective worker and file type.
To notify the malicious actors that an access code was entered, a POST request is sent to https://thepureland[.]io/js/send[.]PHP with the following details:
There are three Dropbox links that give you:
an executable (.exe)
an archive (.rar)
and an installer package for macOS (.pkg) [worth mentioning that this was not added before March 1, 2023; based on public scans via URLscan]
Pure Land Launcher v1.2.exe is packed using NSIS (Nullsoft Scriptable Install System).
Running the executable file displays the following window
It is a dropper; once the “JOIN GAME” button is clicked, it invokes checkUpdate()
What happens here is that it retrieves a paste
That has only a value of
Once pureland.7z is downloaded, it uses 7zr.exe and the password “pureland” to extract and get another executable file called pureland.exe.
The final executable file is pumped, 688.145872 MB, and packed using Smart Assembly. It is a RedLine Stealer malware that connects to a C&C: 162.55.188[.]117:48958 with a botnet ID: 5pur
-3/7/2023 change-
The paste was edited on March 7, 2023, 09:02:48 AM CDT. It now points to
The extracted pumped executable file is the same as the commit f973a65a46e8cb0f7b491d5aca81f459eb5b7a12 on the GitHub repo. It is still a RedLine Stealer with the same configuration as above
Pure Land Metaverse Alpha.rar can be extracted using the password “pureland2023”. It contains a folder that has several files to deceive the user into thinking that it contains the game files. And also, an executable file: Pure Land Launcher v1.4.exe
The same pumped file was used on the dropper. And yes, it is still RedLine Stealer with the same configuration.
For the 3/7/2023 rar download link, the extracted pumped executable file is the same with the latest change on the paste as well.
This one surprised me; I was not expecting to encounter malware designed for macOS.
PureLand Launcher.pkg is a straightforward unknown stealer. The Mach-O binary’s name is “Installer”.
After installing and running the application, it asked for a password to access the “Chrome Safe Storage”. That alone should be a red flag for the user when trying to run it.
Based on the network requests, it sends a POST request to the following:
http://193.168.141[.]107:8888/serialinfo
http://193.168.141[.]107:8888/
http://193.168.141[.]107:8888/lastroute
http://193.168.141[.]107:8888/serialinfo is for the exfiltration of the user’s hardware details. The header has “Expect: 100-continue” to determine whether to send the request body or not. The response is an MD5 hash of the text file name.
http://193.168.141[.]107:8888/ is used to send other files that contain the target data. The hexid is now replaced with the MD5 hash which was a response from the /serialinfo request.
For some reason, this part where it exfiltrates the Chrome password doesn’t have the ‘Expect’ header
Then afterward, it has the ‘Expect’ header again
After all of the available target data is exfiltrated, http://193.168.141[.]107:8888/lastroute is used to send the stealer’s configuration, the MD5 hash (which was returned earlier by /serialinfo), and the username of the device. And for some reason again, it doesn’t have the ‘Expect’ header.
The notable details in the traffic are the following:
What’s papka? Let’s ask ChatGPT…
Oh, that makes sense. The list that I shared earlier started with only one “worker” for this file, which is “На дознании 🔎” (On inquiry 🔎).
Let’s take a look at the strings to get an idea of what the “Installer” MachO does
These are the notable function names
And targets
With no attribution to already named info stealers out there, I noticed something which got me wondering
Perhaps, we can name this as Vakksdr Stealer…
As I’ve already uploaded the sample to MalwareBazaar, Daniel Stinson (shellcromancer) took a look at the sample and created a YARA rule. It is interesting to see that:
“/.dkdbsqtl/vakkdsr” is an Electrum path of the malware author
The code used to steal Zoom and document files is unused
Since the dropper earlier retrieves the final payload in a GitHub repository, I decided to check it as well.
The “PURELANDMETAVERSE” GitHub account has only one repository, which is named “PureLand”.
Based on the commits, the first was on Jan 26, 2023, 12:03 PM EST
The past commits have the same C&C for the RedLine Stealer with different botnet IDs, except for a few…
b1b9450984be000006f0970c9fe4bf8d439d1dc7 on Jan 26, 2023, 12:06 PM EST
3852dfa400842b440e5700436f2a3eb25dfbee8e on Jan 26, 2023, 3:24 PM EST
Both:
have the same file name and type, which is pureland.7z
can be accessed using the password “pureland”
contains the same pumped executable
the same RedLine Stealer configuration (C&C: 167.235.233[.]35:16621 | botnet ID: 5hr)
One user who goes by the handle “Pineconebob” fell to this scheme on February 20, 2023.
Satomi promised rewards such as “an NFT worth 0.5 ETH, a token, and special roles in the Discord server” in exchange for testing the game.
Based on the access code list that was given earlier, the worker behind this is “Aizik (сучка) ✨”. Pineconebob was given an archive (rar) file; hence the password “pureland2023” was mentioned.
After Pineconebob ran the file, the Twitter account was immediately taken along with the ~3.95326666906377 ETH (~$6,127.05) worth of assets.
It was then laundered on an exchange after a few days. The wallet responsible for laundering has been doing this since January 25, 2023, with another exchange.
The end.
Twitter: (1431291438248210441) Linktree: https://linktr[.]ee/purelandmetaverse Gitbook: OpenSea collection: Discord: https://discord[.]gg/pureland Medium: PULA ERC20 token: 0xf4FB0e69B3f1322971C813C18B1ffF4dD4872ca3 Domain: thepureland[.]io
Similar to the findings, the fake project has several alt accounts to show support and lure other users
Also, the real game is called Rune Teller (). As confirmed by these two users.
and lastly, both have the icon that says “HEROBOTS OMENS OF HERO”. It is a copycat of a legitimate game called . A similar malware campaign where I shared the samples here:
Pineconebob was approached by “Satomi See” () on Twitter via DM on the original account “bob461” (compromised and changed to “unknown22572294” — ).
Samples related to “PureLand” can be retrieved here:
Chainabuse report:
Twitter:
