A variant of the PureLogs infostealer malware has been distributed through purchase-order-themed phishing emails that use a malicious JavaScript file to launch a multi-stage infection chain on Windows systems.
According to new analysis from FortiGuard Labs, the campaign uses a fake purchase order message with an attached RAR archive.
The archive contains a malicious JavaScript file used to begin the execution chain.
JavaScript and PowerShell Execution
The phishing email tells the recipient to open the archive to view the supposed purchase order.
FortiGuard Labs said the email was marked "virus detected" in the subject field and blocked by FortiMail, preventing delivery in the analyzed case.
In a lab environment, FortiGuard Labs observed that, once executed, the JavaScript file decrypted PowerShell code and wrote it to a randomly named .ps1 file in the C:\Temp folder.
The script was then run through PowerShell.exe with execution policy bypassed, no profile loaded and the window hidden.
The dropped PowerShell file contained Base64-encoded and encrypted data. FortiGuard Labs said it decoded the content, decrypted it with an XOR-with-rotation method and executed the result as a fileless PowerShell script.
That script extracted two .NET modules in memory and used process hollowing to run the payload inside MsBuild.exe, a legitimate Windows process, rather than launching the malware as a standalone executable.
PureLogs Targets Credentials and Wallets
The injected .NET module loaded a downloader component from an embedded resource, decrypted it using the Data Encryption Standard (DES) and decompressed it in memory. The downloader then contacted a command-and-control (C2) server and requested a plugin module.
FortiGuard Labs identified the downloaded plugin as a fileless PureLogs variant. The module is designed to collect sensitive data from infected systems before compressing, encrypting and sending it back to the C2 server.
Collected data includes:
-
System details and screenshots
-
Clipboard contents
-
Browser credentials, cookies and session tokens
-
Discord authentication data
-
Cryptocurrency wallet files and keys
-
Credentials from applications, including Outlook, FileZilla, OpenVPN and ProtonVPN
The PureLogs module targeted a wide range of browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Yandex Browser, Mozilla Firefox, Waterfox and LibreWolf. It also scanned Discord directories for tokens that could allow account access without the victim's password.
The report advised organizations to enforce email filtering, restrict unnecessary script execution and monitor for anomalous PowerShell activity and process hollowing. FortiGuard Labs also published indicators of compromise (IoCs) and detection details for the campaign.