PureLogs infostealer targets global credentials
▼ Summary
– A phishing campaign uses invoice-themed emails with TXZ archives to deliver the PureLogs infostealer to Windows machines.
– The attack hides encrypted payloads inside PNG images, using steganography to evade detection, with a .NET loader called PawsRunner decrypting the download URL.
– PureLogs steals credentials, cookies, and session tokens from browsers, crypto wallets, communication apps, password managers, and other software.
– Stolen data is AES-encrypted and exfiltrated via HTTPS, and can be used for financial theft or sold on criminal markets.
– Users should treat unexpected emails as suspicious, and organizations can block unusual archives, monitor PowerShell, and deploy endpoint detection.
A sophisticated phishing campaign is deploying the powerful PureLogs infostealer onto Windows machines by concealing encrypted malicious payloads inside seemingly harmless cat photos. This discovery, made by Fortinet researchers, highlights a growing trend in cyberattacks that blend into normal-looking network traffic.
The attack chain begins with a phishing email that includes a TXZ archive and uses an invoice-themed lure to create urgency, pressuring victims into opening the attachment quickly. Once extracted, the JavaScript within the archive stores malicious commands in process environment variables, which are further obfuscated with garbled text and multilingual comments. It then launches a hidden PowerShell session to decode, decrypt, and decompress a . NET assembly loader called PawsRunner.
PawsRunner decrypts a download URL using RC4 encryption and attempts to fetch a PNG image through multiple network APIs. In a previous campaign flagged by Swiss Post Cybersecurity, the PNG was retrieved from archive.org. The loader then extracts an encrypted payload hidden inside the image using steganography markers, while bypassing Event Tracing for Windows and Windows 11 security features.
The final payload is PureLogs, a prodigious infostealer that profiles the victim’s system environment and harvests credentials, cookies, and session tokens from a wide range of sources. This includes an extensive list of popular and lesser-known web browsers used globally, over 100 crypto wallet extensions and desktop wallets, communication apps like Discord, Telegram, and Signal, password managers such as Bitwarden, LastPass, and 1Password, authenticators via browser extensions, and other software including Steam, OpenVPN, FileZilla, WinSCP, FoxMail, and Outlook. All stolen data is AES-encrypted before exfiltration.
“This version of PureLogs uses extensive async/await patterns to improve task efficiency and complicate analysis. Additionally, it uses HTTPS for its Command and Control (C2) communications,” the researchers noted. The harvested information can be used for financial theft or sold on criminal markets, potentially enabling follow-on attacks against victims’ employers, banks, or contacts.
The shift toward hiding payloads inside image files represents a deliberate effort to blend malicious activity into normal-looking network traffic. A PNG file fetched over HTTPS from what might appear to be a legitimate host raises far fewer alarms than a direct executable download. According to Fortinet, this steganography technique is increasingly used by attackers.
Users are advised to treat unexpected emails and attachments as suspicious, regardless of how urgent or routine they appear, and to be wary of opening files in unusual formats. Organizations can take further steps: train employees to detect invoice-themed lures, block uncommon archive formats at the email gateway, monitor for unusual PowerShell behavior, restrict JavaScript execution from email attachments, and deploy endpoint detection that covers in-memory execution.
(Source: Help Net Security)