Cybercriminals Conceal PURELOGS Malware in Weaponized PNG Files
In a recent cybersecurity development, threat actors have unveiled a sophisticated method to distribute the PURELOGS infostealer by embedding it within seemingly innocuous PNG image files. This technique leverages legitimate platforms to evade detection, posing significant challenges for security professionals.
The Attack Vector:
The campaign initiates with phishing emails masquerading as pharmaceutical invoices. These emails contain malicious ZIP attachments that, when opened, trigger a multi-stage infection process designed to bypass traditional security measures.
Multi-Stage Infection Process:
1. Initial Execution: Upon opening the ZIP file, a JScript dropper is executed.
2. Payload Retrieval: The dropper downloads a PNG file from archive.org, a reputable website, making the request appear legitimate.
3. Hidden Malware Extraction: This PNG file is a polyglot, containing both image data and a Base64-encoded malicious payload embedded after the image’s end marker.
4. In-Memory Execution: The embedded payload is decoded and executed directly in memory using PowerShell, ensuring no malicious files are written to disk, thereby evading file-based detection systems.
Technical Sophistication:
The use of polyglot files—files that can be interpreted in multiple ways—demonstrates the attackers’ advanced capabilities. By appending the malicious code after the PNG’s IEND chunk, the image remains viewable and functional, while simultaneously housing the malware. This method effectively bypasses security tools that rely on file signatures and hash-based detection.
Malware-as-a-Service (MaaS):
PURELOGS operates on a subscription model, with prices starting at $150 per month. This affordability makes it accessible to a wide range of cybercriminals, from novices to seasoned operators, increasing the prevalence of such attacks.
Implications for Cybersecurity:
The integration of fileless execution and the use of trusted platforms for payload delivery underscore the evolving nature of cyber threats. Organizations must adopt advanced detection mechanisms that analyze behavioral patterns and network anomalies to identify and mitigate such sophisticated attacks.
Conclusion:
The concealment of PURELOGS within PNG files exemplifies the innovative tactics employed by cybercriminals to evade detection. As these methods become more prevalent, it is imperative for cybersecurity defenses to evolve correspondingly, emphasizing proactive threat hunting and comprehensive monitoring strategies.
