Cybercriminals have developed a sophisticated method to distribute the PureLog Stealer malware by exploiting Google’s Blogspot platform in conjunction with Windows PowerShell. This approach allows them to infiltrate systems while evading traditional security measures.
The attack initiates with a deceptive file named transcript.pdf.js. Due to Windows’ default setting of hiding file extensions, this file appears as a standard PDF document to the user. When executed, it leverages Windows Script Host to launch PowerShell with execution policies disabled, enabling the download and execution of additional malicious code directly from Blogspot pages without leaving traces on the disk.
Security researchers have identified this framework, termed Veil#Drop, which effectively conceals malicious activities behind layers of encoding and legitimate web traffic. The infection chain progresses from the initial deceptive file to the extraction of sensitive information, including browser credentials and cryptocurrency wallet data.
One notable aspect of this campaign is its reliance on trusted platforms and tools. By utilizing Blogspot for hosting malicious payloads and PowerShell for execution, the attackers can bypass many security defenses that typically flag unknown or untrusted sources. Additionally, the malware employs techniques such as deleting the original launcher file to minimize forensic evidence and dynamically generating Blogspot URLs to evade domain-based blocking.
To mitigate the risks associated with such attacks, users should exercise caution when opening files from unverified sources, especially those with double extensions or unfamiliar formats. Organizations are advised to implement strict execution policies for scripting languages like PowerShell and to monitor network traffic for unusual patterns, such as unexpected connections to blogging platforms or the execution of scripts with disabled security checks.
This campaign underscores the evolving tactics of cybercriminals who increasingly exploit legitimate services and tools to distribute malware. It highlights the necessity for continuous vigilance and adaptive security strategies to counteract these sophisticated threats.