A variant of the PureLogs infostealer malware has been distributed through purchase-order-themed phishing emails that use a malicious JavaScript file to launch a multi-stage infection chain on Windows systems.
According to new analysis from FortiGuard Labs, the campaign uses a fake purchase order message with an attached RAR archive.
The archive contains a malicious JavaScript file used to begin the execution chain.
The phishing email tells the recipient to open the archive to view the supposed purchase order.
FortiGuard Labs said the email was marked "virus detected" in the subject field and blocked by FortiMail, preventing delivery in the analyzed case.
In a lab environment, FortiGuard Labs observed that, once executed, the JavaScript file decrypted PowerShell code and wrote it to a randomly named .ps1 file in the C:\Temp folder.
The script was then run through PowerShell.exe with execution policy bypassed, no profile loaded and the window hidden.
The dropped PowerShell file contained Base64-encoded and encrypted data. FortiGuard Labs said it decoded the content, decrypted it with an XOR-with-rotation method and executed the result as a fileless PowerShell script.
That script extracted two .NET modules in memory and used process hollowing to run the payload inside MsBuild.exe, a legitimate Windows process, rather than launching the malware as a standalone executable.
The injected .NET module loaded a downloader component from an embedded resource, decrypted it using the Data Encryption Standard (DES) and decompressed it in memory. The downloader then contacted a command-and-control (C2) server and requested a plugin module.
FortiGuard Labs identified the downloaded plugin as a fileless PureLogs variant. The module is designed to collect sensitive data from infected systems before compressing, encrypting and sending it back to the C2 server.
Collected data includes:
System details and screenshots
Clipboard contents
Browser credentials, cookies and session tokens
Discord authentication data
Cryptocurrency wallet files and keys
Credentials from applications, including Outlook, FileZilla, OpenVPN and ProtonVPN
The PureLogs module targeted a wide range of browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Yandex Browser, Mozilla Firefox, Waterfox and LibreWolf. It also scanned Discord directories for tokens that could allow account access without the victim's password.
The report advised organizations to enforce email filtering, restrict unnecessary script execution and monitor for anomalous PowerShell activity and process hollowing. FortiGuard Labs also published indicators of compromise (IoCs) and detection details for the campaign.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。