A phishing campaign is smuggling the powerful PureLogs information stealer onto targets’ Windows machines by hiding encrypted malicious payloads inside cat photos, Fortinet researchers discovered.
The attack
The attack starts with a phishing email containing a TXZ archive and using an invoice-themed lure to pressure the victim into opening it quickly:
The phishing email carrying the malicious TXZ archive (Source: Fortinet)
The extracted JavaScript stores malicious commands in process environment variables (which are also filled with garbled text and multilingual comments as obfuscation), then launches a hidden PowerShell session to decode, decrypt, and decompress a .NET assembly loader dubbed PawsRunner.
PawsRunner decrypts a download URL using RC4, then tries multiple network APIs to fetch a PNG image. (In a previous campaign flagged by Swiss Post Cybersecurity, the PNG image was retrieved from archive.org.)
It then extracts an encrypted payload hidden withing the image (PNG) file using steganography markers, and bypasses Event Tracing for Windows and Windows 11 security features.
A prodigious infostealer
The final malicious payload is the PureLogs infostealer, which profiles the victim’s system environment and harvests credentials, cookies and session tokens from:
- An extensive list of popular and lesser known web browsers used around the world
- Over 100 crypto wallet extensions and desktop wallets
- Communication apps (Discord, Telegram, Signal, etc.)
- Password managers (Bitwarden, LastPass, 1Password, etc.)
- Authenticators (via browser extensions)
- Other software like Steam, OpenVPN, PhontanVPN, Ngrok, OBS Studio, FileZilla, WinSCP, FoxMail, MailBird, MailMaster, and Outlook.
The stolen data is AES-encrypted and exfiltrated.
“This version of PureLogs uses extensive async/await patterns to improve task efficiency and complicate analysis. Additionally, it uses HTTPS for its Command and Control (C2) communications,” the researchers added.
The stolen data can be used for financial theft or sold on criminal markets, potentially enabling follow-on attacks against victims’ employers, banks, or contacts.
Steganography on the rise
The shift toward hiding payloads inside image files represents a deliberate effort to blend malicious activity into normal-looking network traffic: A PNG file fetched over HTTPS, from what might appear to be a legitimate host, raises far fewer alarms than a direct download of an executable.
According to Fortinet, the technique is increasingly used by attackers.
Users are advised to treat unexpected emails and attachments as suspicious regardless of how urgent or routine they look, and to be wary of opening files in unusual file formats.
Organizations can do more: they can train employees on how to detect invoice-themed lures, block uncommon archive formats at the email gateway, monitor for unusual PowerShell behavior, restrict JavaScript execution from email attachments, and deploy endpoint detection that covers in-memory execution.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
