Page cover

PureLand - A Fake Project Related to the Sandbox malspam

On February 27, 2023, a “The Sandbox” employee was compromised, resulting in sending malspam which introduced them to “PureLand”. It leads to a RedLine Stealer and an unknown stealer for macOS.

https://twitter.com/borgetsebastien/status/1630171946976411649

Let’s take a closer look at this “PureLand”…

A Medium article version can be read here: https://iamdeadlyz.medium.com/pureland-a-fake-project-related-to-the-sandbox-malspam-13b9abe751d1

Details of “PureLand”

Twitter: https://twitter.com/PureMetaLand (1431291438248210441) Linktree: https://linktr[.]ee/purelandmetaverse Gitbook: https://pure-land.gitbook.io/pureland/ OpenSea collection: https://opensea.io/collection/pureland Discord: https://discord[.]gg/pureland Medium: https://www.medium.com/@pure-land PULA ERC20 token: 0xf4FB0e69B3f1322971C813C18B1ffF4dD4872ca3 Domain: thepureland[.]io

Similar to the Cthulhu World findings, the fake project has several alt accounts to show support and lure other users

Tweets from alt accounts that support the fake project, while the other two are reports from users who were approached by the workers

Also, the real game is called Rune Teller (https://store.steampowered.com/app/1944360/Rune_Teller/). As confirmed by these two users.

Left: https://twitter.com/Marimocha4/status/1630860680399319041 | Right: https://twitter.com/ny4n_nft/status/1631495657004605440

The OpenSea collection has several sales, which was a wash trading to mislead people

Pure Land’s OpenSea collection page and sales activity
Graph of the on-chain activities of the wallets related to the OpenSea wash trading and PULA ERC20 token

The website

Visiting https://thepureland[.]io/ auto-redirects you to https://thepureland[.]io/metaverse/ and with this landing page

The landing page of the website

To make it look more realistic with a feeling of game testing, an access code is required to download the file.

A form asking for the access code

There are several access codes with the respective worker and file type.

To notify the malicious actors that an access code was entered, a POST request is sent to https://thepureland[.]io/js/send[.]PHP with the following details:

The files

There are three Dropbox links that give you:

  • an executable (.exe)

  • an archive (.rar)

  • and an installer package for macOS (.pkg) [worth mentioning that this was not added before March 1, 2023; based on public scans via URLscan]

.exe

Pure Land Launcher v1.2.exe is packed using NSIS (Nullsoft Scriptable Install System).

Detect It Easy results for Pure Land Launcher v1.2.exe

Running the executable file displays the following window

It is a dropper; once the “JOIN GAME” button is clicked, it invokes checkUpdate()

checkUpdate() at index.js of the Electron application
“check-update” invoked by checkUpdate() and other functions at index.js of the Electron application

What happens here is that it retrieves a paste

That has only a value of

Once pureland.7z is downloaded, it uses 7zr.exe and the password “pureland” to extract and get another executable file called pureland.exe.

pureland.7z and the content: pureland.exe

The final executable file is pumped, 688.145872 MB, and packed using Smart Assembly. It is a RedLine Stealer malware that connects to a C&C: 162.55.188[.]117:48958 with a botnet ID: 5pur

Detect It Easy results of pureland.exe

-3/7/2023 change-

The paste was edited on March 7, 2023, 09:02:48 AM CDT. It now points to

The extracted pumped executable file is the same as the commit f973a65a46e8cb0f7b491d5aca81f459eb5b7a12 on the GitHub repo. It is still a RedLine Stealer with the same configuration as above

Detect It Easy results of pureland.exe — 3/7/2023

.rar

Pure Land Metaverse Alpha.rar can be extracted using the password “pureland2023”. It contains a folder that has several files to deceive the user into thinking that it contains the game files. And also, an executable file: Pure Land Launcher v1.4.exe

Contents of Pure Land Metaverse Alpha.rar | taken before 3/7/2023

The same pumped file was used on the dropper. And yes, it is still RedLine Stealer with the same configuration.

Detect It Easy results of pureland.exe | taken before 3/7/2023

For the 3/7/2023 rar download link, the extracted pumped executable file is the same with the latest change on the paste as well.

.pkg

This one surprised me; I was not expecting to encounter malware designed for macOS.

PureLand Launcher.pkg is a straightforward unknown stealer. The Mach-O binary’s name is “Installer”.

Detect It Easy results for the Installer Mach-O binary

After installing and running the application, it asked for a password to access the “Chrome Safe Storage”. That alone should be a red flag for the user when trying to run it.

Prompt asking for the user’s password to access the “Chrome Safe Storage”. Ran using tria.ge: https://tria.ge/230303-j6lsmagg34/behavioral1

Based on the network requests, it sends a POST request to the following:

  1. http://193.168.141[.]107:8888/serialinfo

  2. http://193.168.141[.]107:8888/

  3. http://193.168.141[.]107:8888/lastroute

HTTP connections to 193.168.141[.]107:8888

http://193.168.141[.]107:8888/serialinfo is for the exfiltration of the user’s hardware details. The header has “Expect: 100-continue” to determine whether to send the request body or not. The response is an MD5 hash of the text file name.

Request details to http://193.168.141[.]107:8888/serialinfo

http://193.168.141[.]107:8888/ is used to send other files that contain the target data. The hexid is now replaced with the MD5 hash which was a response from the /serialinfo request.

For some reason, this part where it exfiltrates the Chrome password doesn’t have the ‘Expect’ header

Request details to http://193.168.141[.]107:8888/ | without the ‘Expect’ header

Then afterward, it has the ‘Expect’ header again

Request details to http://193.168.141[.]107:8888/ | with the ‘Expect’ header

After all of the available target data is exfiltrated, http://193.168.141[.]107:8888/lastroute is used to send the stealer’s configuration, the MD5 hash (which was returned earlier by /serialinfo), and the username of the device. And for some reason again, it doesn’t have the ‘Expect’ header.

Request details to http://193.168.141[.]107:8888/lastroute

The notable details in the traffic are the following:

What’s papka? Let’s ask ChatGPT…

ChatGPT’s response to what is papka. “The word “papka” is a common noun in several Slavic languages, including Russian, Ukrainian, and Belarusian. In Russian, “papka” (папка) means a folder, binder or portfolio used to store documents or papers.”

Oh, that makes sense. The list that I shared earlier started with only one “worker” for this file, which is “На дознании 🔎” (On inquiry 🔎).

Let’s take a look at the strings to get an idea of what the “Installer” MachO does

Detect It Easy strings results for the “Installer” MachO

These are the notable function names

And targets

With no attribution to already named info stealers out there, I noticed something which got me wondering

Perhaps, we can name this as Vakksdr Stealer…

As I’ve already uploaded the sample to MalwareBazaar, Daniel Stinson (shellcromancer) took a look at the sample and created a YARA rule. It is interesting to see that:

  • “/.dkdbsqtl/vakkdsr” is an Electrum path of the malware author

  • The code used to steal Zoom and document files is unused

The PureLand GitHub repository

Since the dropper earlier retrieves the final payload in a GitHub repository, I decided to check it as well.

The “PURELANDMETAVERSE” GitHub account has only one repository, which is named “PureLand”.

Based on the commits, the first was on Jan 26, 2023, 12:03 PM EST

History of commits for the PureLand repository

The past commits have the same C&C for the RedLine Stealer with different botnet IDs, except for a few…

Notable commits

  • b1b9450984be000006f0970c9fe4bf8d439d1dc7 on Jan 26, 2023, 12:06 PM EST

  • 3852dfa400842b440e5700436f2a3eb25dfbee8e on Jan 26, 2023, 3:24 PM EST

Both:

  • have the same file name and type, which is pureland.7z

  • can be accessed using the password “pureland”

  • contains the same pumped executable

Detect It Easy results for the pureland.exe | commit 3852dfa400842b440e5700436f2a3eb25dfbee8e
Detect It Easy results for the pureland.exe | commit b1b9450984be000006f0970c9fe4bf8d439d1dc7 | with the Herobots icon

A victim’s experience

One user who goes by the handle “Pineconebob” fell to this scheme on February 20, 2023.

https://twitter.com/PineconeBob/status/1628322281335427074

Pineconebob was approached by “Satomi See” (2392847329) on Twitter via DM on the original account “bob461” (compromised and changed to “unknown22572294” — 159434882).

The Twitter activity of “Satomi See” (2392847329)

Satomi promised rewards such as “an NFT worth 0.5 ETH, a token, and special roles in the Discord server” in exchange for testing the game.

Messages of “Satomi See” (2392847329)

Based on the access code list that was given earlier, the worker behind this is “Aizik (сучка) ✨”. Pineconebob was given an archive (rar) file; hence the password “pureland2023” was mentioned.

After Pineconebob ran the file, the Twitter account was immediately taken along with the ~3.95326666906377 ETH (~$6,127.05) worth of assets.

Graph of the on-chain activities related to Pineconebob’s stolen assets

It was then laundered on an exchange after a few days. The wallet responsible for laundering has been doing this since January 25, 2023, with another exchange.

IOCs

Samples related to “PureLand” can be retrieved here: https://bazaar.abuse.ch/browse/tag/PureLand/

The end.

Chainabuse report: https://www.chainabuse.com/report/dc70be63-ff32-47f2-946f-0d4bf3b7b18f

Twitter: https://twitter.com/Iamdeadlyz

PreviousHello 👋NextFake Blockchain Games Deliver RedLine Stealer & Realst Stealer - A New macOS Infostealer Malware

Last updated