New Variant of PureLogs Infostealer Malware Uncovered in Phishing Scheme
A recent investigation by FortiGuard Labs has uncovered a sophisticated variant of the PureLogs infostealer malware, which is currently being disseminated through a wave of purchase-order-themed phishing emails. These deceptive emails employ a malicious JavaScript file that initiates a multi-stage infection chain targeting Windows systems, showcasing an alarming escalation in cyber threats.
The Mechanics of the Phishing Campaign
The phishing attack centers around a fabricated purchase order, cleverly crafted to entice recipients into engagement. Each email comes with an attached RAR archive, which is masked to appear innocuous. However, the seemingly harmless file conceals a malicious JavaScript file intended to commence the infection process.
FortiGuard Labs reported their findings, noting that the phishing emails were marked with the subject line “virus detected,” subsequently leading them to be blocked by FortiMail in the instances analyzed. This proactive measure by FortiMail highlights the necessity of robust email security systems in mitigating such threats.
Inside a controlled lab environment, analysts observed the execution sequence initiated by the JavaScript file. Once executed, the script decrypted PowerShell code, which was then written to a randomly named .ps1 file within the C:\Temp folder. The PowerShell script was executed amidst a backdrop of heightened secrecy—it was launched with the execution policy bypassed, no profile loaded, and the associated window hidden from view.
The Role of PowerShell in the Infection
The downloaded PowerShell file contained Base64-encoded and cryptographically protected data. Upon analysis, FortiGuard Labs discovered that the file was decoded before being decrypted using an XOR-with-rotation algorithm. The resulting code executed as a fileless PowerShell script, illustrating modern malware’s tendency to avoid traditional file structures to evade detection.
This script was adept at extracting two .NET modules into memory while utilizing process hollowing, which permitted it to operate within the confines of MsBuild.exe, a legitimate Windows process. This tactic not only camouflages the malware but also enhances its chances of remaining undetected by standard security measures.
PureLogs: A Target on Sensitive Data
Once inside the victim’s system, the injected .NET module accessed a downloader component embedded within. This component decrypted the payload using the Data Encryption Standard (DES) before decompressing it directly in memory. Subsequently, the downloader connected to a command-and-control (C2) server, requesting a plugin module dubbed a variant of PureLogs.
This PureLogs module is engineered specifically to harvest sensitive information from compromised systems. Once the data is collected, it is compressed, encrypted, and sent back to the C2 server. The types of sensitive information at risk from this malware are extensive and alarming.
Data Harvesting Capabilities
The data collected by PureLogs includes:
- System Information and Screenshots: This provides attackers with a comprehensive view of the victim’s environment.
- Clipboard Contents: Valuable information is often copied and pasted here, opening opportunities for theft of credentials.
- Browser Credentials, Cookies, and Session Tokens: This access can lead to account takeovers.
- Discord Authentication Data: The module scours for tokens providing unauthorized access.
- Cryptocurrency Wallet Files and Keys: A target for malware due to the high value of cryptocurrency assets.
- Credentials from Various Applications: This includes widely-used platforms such as Outlook, FileZilla, OpenVPN, and ProtonVPN, jeopardizing numerous accounts and services.
The PureLogs malware casts a wide net, targeting various web browsers including Google Chrome, Microsoft Edge, Brave, Opera, Yandex Browser, Mozilla Firefox, Waterfox, and LibreWolf. Each of these browsers holds unique credentials and user data, making them ripe for harvesting by cybercriminals.
Recommendations for Organizations
FortiGuard Labs has provided critical recommendations for organizations seeking to shield themselves from this multifaceted threat. These include enforcing strict email filtering protocols, limiting unnecessary script execution, and monitoring for anomalous PowerShell activities and process hollowing—tactics often employed by sophisticated malware attacks.
Furthermore, indicators of compromise (IoCs) and other detection details related to this campaign have been published by FortiGuard Labs, serving as essential resources for cybersecurity teams aiming to enhance their defenses against evolving threats like the PureLogs infostealer.
In this digital age, as cyber threats become increasingly advanced, organizations must remain vigilant and adaptive to evolving strategies employed by malicious actors. The potential for data theft underscores the pressing need for robust cybersecurity measures, thorough employee training, and ongoing vigilance in recognizing and responding to phishing attempts.