PureLogs: Delivery via PawsRunner Steganography

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – The campaign starts with a phishing email carrying a TXZ archive attachment used as the lure (‘The attack campaign begins with a phishing email containing an TXZ archive…as an attachment’).
• [T1027] Obfuscated Files or Information – The JavaScript includes irrelevant multilingual comments and garbled environment variables to obscure intent (‘contains several functions, each preceded by irrelevant comments’ and ‘declare a large number of Process environment variables containing garbled text’).
• [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell is used to execute the hidden command and stage subsequent payload decoding (‘invoked PowerShell also uses the -w hidden flag’).
• [T1564.003] Hide Artifacts: Hidden Window – The malware hides execution by launching conhost.exe headless and PowerShell with a hidden window (‘launches conhost.exe in headless mode’ and ‘uses the -w hidden flag to hide the PowerShell window’).
• [T1027.003] Steganography – The loader extracts encrypted data hidden in PNG images using steganographic markers (‘uses steganography to conceal data within the picture’ and ‘uses “iTXt” and “IEND” chunks as markers’).
• [T1140] Deobfuscate/Decode Files or Information – The payload is AES-decrypted, Gzip-decompressed, and Base64-decoded in multiple stages (‘decodes and decrypts its payload using the AES algorithm’ and ‘decompresses it using the Gzip method’).
• [T1105] Ingress Tool Transfer – The loader downloads next-stage content from remote URLs and replaces the original link if needed (‘retrieve data’, ‘downloaded data’, and ‘fallback URLs’).
• [T1129] Shared Modules – The malware loads native libraries and resolves API functions dynamically (‘loads native libraries and resolves addresses for necessary API functions’).
• [T1055] Process Injection – The .NET assembly is loaded and executed dynamically in a fileless manner via reflection (‘loaded and executed dynamically via reflection in a fileless manner’).
• [T1497.001] Virtualization/Sandbox Evasion: System Checks – The loader bypasses ETW and Windows 11 (24H2) security features before execution (‘After bypassing ETW and Windows 11 (24H2) security features’).
• [T1071.001] Application Layer Protocol: Web Protocols – C2 and data theft occur via HTTP/HTTPS requests to multiple endpoints (‘uses HTTP requests’ and ‘uses HTTPS for its Command and Control (C2) communications’).
• [T1041] Exfiltration Over C2 Channel – Harvested data is sent back to the C2 server through HTTP requests (‘exfiltrates it to the C2 server via HTTP requests’).
• [T1518.001] Software Discovery: Security Software Discovery – The malware checks or bypasses ETW and Windows 11 security features, indicating awareness of defensive tooling (‘bypassing ETW and Windows 11 (24H2) security features’).
• [T1018] Remote System Discovery – PureLogs profiles the victim system using WMI to gather system information (‘leverages Windows Management Instrumentation (WMI) to profile the victim’s system environment’).
• [T1119] Automated Collection – The malware runs asynchronous tasks to gather browser, app, and file-search data (‘CreateDemoBrowserDataAsync’, ‘CreateDemoDiscordAsync’, and ‘CreateDemoFileSearchAsync’).
• [T1005] Data from Local System – It harvests local browser data, wallet data, communication apps, and files from the victim machine (‘The following is a list of harvested items’).