FortiGuard Labs identified a phishing campaign that delivers a PureLogs variant through a fake purchase-order email carrying a malicious RAR archive and JavaScript file. The attack chain uses PowerShell, process hollowing, and a downloader to load an in-memory plugin that steals browser, Discord, crypto wallet, and application data from Windows systems. #PureLogs #FortiGuardLabs #MsBuild.exe #Discord #MicrosoftEdge #FileZilla
Keypoints
- The campaign starts with a phishing email disguised as a purchase order and blocked by FortiMail as âvirus detected.â
- The attached RAR archive contains a malicious JavaScript file named kpankocrs.js.
- The JavaScript drops and executes an obfuscated PowerShell script from C:Temp.
- The PowerShell stage uses process hollowing to inject a .NET module into MsBuild.exe.
- A downloader module fetches a fileless PureLogs plugin from a C2 server and loads it in memory.
- The malware collects system data, browser credentials, Discord tokens, crypto wallet information, and application credentials.
- Collected data is compressed, encrypted, and exfiltrated to the attackerâs server via HTTP POST requests.
MITRE Techniques
- [T1566.001 ] Phishing: Spearphishing Attachment â The campaign delivers a malicious RAR attachment through a fake purchase-order email (âdisguised as purchase ordersâ and âan attached RAR archiveâ).
- [T1059.007 ] JavaScript â The attachment contains and runs a malicious JavaScript file (âa malicious JavaScript file named kpankocrs.js is presentâ).
- [T1059.001 ] PowerShell â The JavaScript decrypts and launches a PowerShell script (âexecutes the PowerShell fileâ and âpowershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hiddenâ).
- [T1027 ] Obfuscated Files or Information â Multiple stages are obfuscated and encoded (âobfuscated JavaScript codeâ, âBase64-encoded dataâ, and âdecrypted using an XOR-with-rotation methodâ).
- [T1027.013 ] Embedded Payloads â The malware stores and extracts payloads from resources (âextracts and executes two .NET modules in memoryâ and âloads data from the resource named âEqxcpvgf.Ybrgdoxasââ).
- [T1055.012 ] Process Hollowing â The malware injects a .NET module into a suspended trusted process (âconduct the process hollowingâ and target process âMsBuild.exeâ).
- [T1106 ] Native API â The process hollowing chain uses Windows APIs to manipulate the target process (âCreateProcessA(), ZwUnmapViewOfSection(), ReadProcessMemory(), WriteProcessMemory(), VirtualAllocEx(), GetThreadContext(), SetThreadContext(), and ResumeThread()â).
- [T1105 ] Ingress Tool Transfer â The downloader retrieves plugin modules from the C2 server (âdownload additional plugin modules from its C2 serverâ).
- [T1027.015 ] Compressed Files and Information â The malware uses GZip compression on payloads and stolen data (âcompresses it with GZipâ and âgunzips the DES-decrypted dataâ).
- [T1041 ] Exfiltration Over C2 Channel â Stolen data is sent back to the attacker via HTTP POST requests (âtransmitting it to the C2 serverâ and âPOST /browserâ, âPOST /discordâ, âPOST /cryptoâ).
- [T1119 ] Automated Collection â The malware gathers large sets of data from the victim system (âcollect sensitive dataâ including browser, Discord, wallet, and application data).
Indicators of Compromise
- [URL ] C2 endpoint and API paths used for checking in, downloading plugins, and exfiltrating data â hxxps://77[.]83.39.211:8443/ping, hxxps://77[.]83.39.211:8443/plugin, and other related endpoints
- [IP:Port ] C2 server used by the downloader and plugin modules â 77[.]83[.]39[.]211:8443, 192[.]168[.]10[.]1:8443
- [File names ] Malicious attachment and dropped scripts/modules â PO 2026-P0803.rar, kpankocrs.js, ps_qnSEGUkU0LIY_1777592585573.ps1, Rmiyj.dll, zgSGkYYzqVe.dll
- [SHA-256 ] Associated sample hashes â 3D510977D60A44322F88100B515F06CB5ED83BABC64247068D1A489595FAA6C5, 670384FAFB23140D96F2F8FE04A13FC8CC8E2A6E5E8C973E39B58D103C5FEA92, and 3 more hashes
- [File path ] Locations used to store or steal data â C:Temp, %LocalAppData%MicrosoftEdgeUser DataDefaultLogin Data, %AppData%DiscordLocal Storageleveldb, and 4 more paths
- [Resource names ] Embedded resource names used to load payloads and configuration â Eqxcpvgf.Ybrgdoxas