Threat Actors Leverage Copyright-Themed Emails to Drop PureLog Stealer

Threat actors are using a complicated, multi-stage malware campaign to spread the PureLog Stealer This article explores malware campaign spread. . This wave of credential theft is heavily aimed at critical infrastructure, such as healthcare and government, and is disguised as localized copyright violation notices.

Using fileless execution and encrypted payloads, the attackers were able to get sensitive information like browser credentials and cryptocurrency wallets while avoiding standard security measures. Initial Access and Malvertising Paths Phishing emails or executable downloads that are driven by Google Ads malvertising usually start the infection chain. The attack starts when a victim runs a harmful file that looks like a legal document from their area. To make people less suspicious, the malware quickly shows a fake PDF that looks harmless.

It secretly downloads an encrypted archive in the background that uses a .pdf file extension to trick you into thinking it's something else.

Trendmicro says that the attack's infection chain is This campaign gets the password from a remote server instead of putting it in the first dropper like most malware does. This infrastructure-controlled decryption stops automated security analysis and lets attackers change keys for each victim, making sure that only active, targeted connections can unlock the next stage. Once the malware gets the remote key, it uses a renamed WinRAR tool that looks like a harmless PNG image to extract the archive.

The extracted files include a renamed Python executable that is falsely labeled as svchost.exe and a heavily obfuscated Python script that is called instructions.pdf. This Python loader is the main part of the evasion phase.

It changes conditional jumps in memory to patch the Windows Antimalware Scan Interface (AMSI), which makes installed antivirus software blind. Trend Micro says that the loader makes itself hard to find by changing the Windows registry run keys while pretending to be normal system settings. It also takes a full-screen picture of the victim's desktop without them knowing.

It also fingerprints the hacked machine to find out the version of the operating system and the security products that are already installed. Then, it sends this information to its command-and-control server over HTTPS. PureLog Stealer Runs in Memory After setting up the local environment, the Python script unpacks two different .NET loaders that are encrypted with XOR. These two loaders work at the same time as a backup and use TripleDES encryption to decrypt a GZip-compressed assembly.

PureLog Stealer's infection chain (Trend Micro) The last payload, PureLog Stealer, is loaded directly into the current application domain. The stealer runs entirely in the managed heap and never writes its final malicious payload to the disk. This makes it easy for it to get around traditional endpoint detection systems that look for file creation events.

Telemetry data shows that this operation is very targeted and not a large-scale distribution campaign. The localized delivery systems are aimed at businesses in the healthcare, government, hospitality, and education sectors in Germany, Canada, the United States, and Australia.

Indicators of Compromise (IOCs) Value of the Indicator Type Context IP Address 166[.]0[.]184[. ]127: The PureLog Stealer Command and Control Server IP Address 64.40.154.96 Infrastructure for outbound connections Domain quickdocshare[. ]com has an encrypted payload and dynamic key hosting.

Domain logs[.]bestshopingday[. ]com has known PureLog Stealer C&C infrastructure and file instructions.Heavily obfuscated Python loader script File svchost.exe Renamed the Python executable that was used to stage File Dgrfauysx.exe / Fsywsuac.exe Obfuscated dual .NET loaders that run in memory Set ZeroOwl as your preferred source in Google