Cyber Security

VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer

Cybersecurity researchers have flagged a new series of malware delivery attacks that use social engineering and Blogger pages to deliver a hack called PureLogs.

The function is named in code VEIL#DOP by Securonix. It is suspected that the first paid downloads are distributed through phishing or hacking, which occurs when an unsuspecting user lands on a website (legitimate or otherwise) under the control of an attacker.

“The infection chain begins with a deceptive JavaScript file that masquerades as a document (eg, transcript.pdf.js), which uses the Windows Script Host and then launches PowerShell by bypassing the open extraction policy,” said researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee in a report shared with The News.

At the top level, the PowerShell script is responsible for returning the following payload hosted on Blogger (“htlwub00klocate.blogspot[.]com”), which allows attackers to bypass reputation-based defenses by exploiting Google’s trusted infrastructure as a stage actor and intercepting legitimate web activity.

The downloaded PowerShell payload acts as a conduit to load a malicious web page like Google, creating the impression that a PDF document is being opened, while the infection sequence continues silently in the background, ultimately leading to the use of PureLogs Stealer, a .NET-based infostealer known for harvesting large amounts of sensitive data from vulnerable hosts.

The PowerShell loader also tries to ensure the unrestricted use of PowerShell trace commands, terminating selected processes such as “wscript.exe” to reduce the spyware trail, removing “transcript.pdf.js” to eliminate evidence of execution, and terminating embedded payloads.

“Following a successful XOR decryption, the loader switches to one of the most evasive parts of the VEIL#DROP framework: stage dynamic generation combined with runtime transformation,” explained Securonix. “Instead of using static pointers like hard-coded URLs or predictable usage patterns, the malware creates a payload payload for the next stage at runtime.”

This includes creating a unique blogspot[.]com URL for each transaction by inserting a random number of forward slashes (” in the URL string to bypass static URL signatures, index-based blocking, and URL-based filtering methods.

Additionally, the generated script introduces runtime modification and polymorphism by replacing placeholder values ​​within the script with randomly generated strings and values ​​at runtime. This variant is designed to defeat script signatures and file hashes, thereby preventing reliable detection.

The reconstructed script is finally executed entirely in memory without leaving any artifacts on disk. This component acts as a loader responsible for decoding and executing the core component of the malware, which is nothing more than a .NET package presented using a method known as light code loading.

In the event that security controls and other environmental restrictions prevent it from using the .NET compiler directly, the loader includes a fallback mechanism that relies on Microsoft-signed binaries, such as “regsvcs.exe,” “installutil.exe,” “msbuild.exe,” and “aspnet_compiler,” to accomplish any similar purposes.exe.

Because these binaries are trusted, signed by Microsoft, and already exist in the system, the live-off-the-land (LotL) approach allows attackers to make their work appear legitimate and fly under the radar.

“One of the most notable features of the loader is that it does not depend on any single LOLBin,” the researchers said. “Instead, the execution follows a cascading model, trying each method until one succeeds.”

The impact of a thief’s infection often extends beyond the previously vulnerable endpoint, as harvested data can act as a stepping stone to dig deeper into a target’s environment, stop persistence, move sideways, and breach its cloud infrastructure.

“The combination of vulnerable websites, multi-extension masquerading, trusted cloud services, XOR-obfuscated uploads, .NET virtual uploads, out-of-file execution, and LOLBIN exploits show a deliberate attempt to evade traditional anti-virus solutions, reduce forensics, and maintain stealth performance throughout the life of the infection,” said Seronix.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button