Meta News

Copyright Lures Mask a Multi-Stage PureLog Stealer Attack on Key Industries

Summary: A targeted malware campaign uses language-matched copyright lures to deliver PureLog Stealer, an information-stealing malware, to key industries such as healthcare and government.

We identified a targeted malware campaign delivering PureLog Stealer, an information-stealing malware that uses multi-stage packed assemblies to harvest sensitive data, including Chrome browser credentials, extensions, cryptocurrency wallets, and system information, through a file disguised as a legal copyright violation notice. The attack likely relies on phishing emails that lure victims into downloading a malicious executable tailored to the victim’s local language.

Once executed, the malware deploys a multistage infection chain designed for evasion. Notably, it downloads an encrypted payload disguised as a PDF file, then retrieves the decryption password remotely from attacker-controlled infrastructure. Instead of using built-in decryption code, the campaign abuses a renamed WinRAR utility disguised as a PNG image to extract the payload.

The extracted payload launches a Python-based loader that decrypts and executes the final .NET PureLog Stealer malware in memory. The routine also incorporates anti-virtual machine techniques to evade automated analysis environments.

Key facts

  • The PureLog stealer campaign uses highly targeted, language-matched lures disguised as legal copyright violation notices.
  • A multi-stage, evasive delivery chain combines encrypted payloads and remote key retrieval to hinder static analysis.
  • The malware relies on fileless execution, using a Python-based loader and dual .NET loaders to run PureLog Stealer entirely in memory.
  • Anti-virtual machine techniques, registry persistence, screenshot capture, and victim fingerprinting are integrated into the loader for stealth and intelligence gathering.
  • Evidence from telemetry confirms C&C communication with PureLog-associated infrastructure.

Why it matters

This multi-stage, targeted attack campaign is significant because it demonstrates sophisticated tactics used by threat actors to exploit specific industries and organizations. The use of language-matched lures and fileless execution methods increases the likelihood of successful infection while reducing detection by traditional security measures.

Tags:
cybersecurity malware PureLog Stealer fileless execution multi-stage attack

Structured details

  • Industry: cybersecurity
  • Source type: media
  • Claim status: confirmed
  • Verification: claimed_by_source
  • Entities: Trend Micro Research, PureLog Stealer, Germany, Canada, healthcare organizations, government organizations

Source: https://www.trendmicro.com/en_us/research/26/c/copyright-lures-mask-a-multistage-purelog-stealer-attack.html

Published on