Ddos 
PureLogs Infection Chain Overview | Image: Louis Schürmann
A seemingly innocuous pharmaceutical invoice in your inbox could be the first step in a sophisticated four-stage attack chain designed to strip your digital life bare. Louis Schürmann, a Security Analyst at Swiss Post Cybersecurity, has dissected a new campaign distributing the PURELOGS stealer, revealing how cybercriminals are using legitimate websites like archive.org to bypass security filters and deliver a devastating payload.
The analysis highlights a disturbing trend: for just $150 a month, threat actors can rent a “Malware-as-a-Service” (MaaS) kit that rivals the capabilities of advanced persistent threats, putting home users and corporate networks alike in the crosshairs.
The attack begins with a phishing email containing a ZIP file. Inside isn’t a document, but a Windows Script Host (WSH) JScript file. Once clicked, this script doesn’t reach out to a malicious domain. Instead, it downloads a PNG image from archive.org, a trusted and legitimate website.
“The attackers are using the site’s reputation as cover,” the analysis explains. “When analysts review network logs and see traffic to archive.org, it typically doesn’t typically raise flags” .
But this is no ordinary image. It’s a “polyglot” file—valid as an image but concealing a malicious secret. “The attackers embedded a Base64-encoded payload after the IEND chunk of the PNG… The actual malware sits between two custom markers, BaseStart- and -BaseEnd” .
A PowerShell script extracts this payload and loads it directly into memory, a technique known as fileless execution. “No file hits disk, so basic file-based AV doesn’t see it”.
The malware employs a complex, four-stage delivery mechanism to ensure it lands safely:
- JScript Dropper: Executes with full OS privileges to launch the attack.
- VMDetectLoader: A modular loader that checks if it’s running in a virtual machine (a common tool for security researchers) and terminates if it is .
- Process Hollowing: The loader hijacks a legitimate .NET tool, CasPol.exe, hollowing out its code and replacing it with the malware. “From the perspective of the operating system and many security tools, CasPol.exe is simply running as expected”.
- The Unpacker: A final stage decrypts the payload using 3DES—a legacy algorithm chosen likely because “many security tools are configured to look for the cryptographic constants and signatures associated with AES” .
The final payload, PURELOGS, is a relentless data vacuum. It targets browsers for passwords and cookies, but its real hunger is for cryptocurrency. It hunts for over 30 desktop wallets and 70 browser extensions, including MetaMask, Coinbase, and Binance .
The barrier to entry for this kind of power is low. “For as little as $150 a month, anyone can purchase a subscription and deploy a sophisticated infostealer in minutes”.
While these “spray-and-pray” campaigns often target home users, the risk to businesses is acute. “Corporate employees working from home, contractors on personal devices, and partners in your supply chain are all in the blast radius,” Schürmann warns. “An infostealer hitting a remote employee’s personal laptop can quickly become an enterprise security incident”.
Related Posts:
- Caminho Loader-as-a-Service Uses LSB Steganography to Hide .NET Payloads in Archive.org Images
- Lumma Stealer MaaS: Clipboard Hijacking and LOLBins Used in Latest Campaign
- Turla APT Group Unleashes Sophisticated Fileless Backdoor via Compromised Site
- Non-Malware (or Fileless) Attack: five knowledge points
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
