Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data

MITRE Techniques

• [T1566.001 ] Phishing: Spearphishing Attachment – The campaign delivers a malicious RAR attachment through a fake purchase-order email (‘disguised as purchase orders’ and ‘an attached RAR archive’).
• [T1059.007 ] JavaScript – The attachment contains and runs a malicious JavaScript file (‘a malicious JavaScript file named kpankocrs.js is present’).
• [T1059.001 ] PowerShell – The JavaScript decrypts and launches a PowerShell script (‘executes the PowerShell file’ and ‘powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden’).
• [T1027 ] Obfuscated Files or Information – Multiple stages are obfuscated and encoded (‘obfuscated JavaScript code’, ‘Base64-encoded data’, and ‘decrypted using an XOR-with-rotation method’).
• [T1027.013 ] Embedded Payloads – The malware stores and extracts payloads from resources (‘extracts and executes two .NET modules in memory’ and ‘loads data from the resource named “Eqxcpvgf.Ybrgdoxas”’).
• [T1055.012 ] Process Hollowing – The malware injects a .NET module into a suspended trusted process (‘conduct the process hollowing’ and target process ‘MsBuild.exe’).
• [T1106 ] Native API – The process hollowing chain uses Windows APIs to manipulate the target process (‘CreateProcessA(), ZwUnmapViewOfSection(), ReadProcessMemory(), WriteProcessMemory(), VirtualAllocEx(), GetThreadContext(), SetThreadContext(), and ResumeThread()’).
• [T1105 ] Ingress Tool Transfer – The downloader retrieves plugin modules from the C2 server (‘download additional plugin modules from its C2 server’).
• [T1027.015 ] Compressed Files and Information – The malware uses GZip compression on payloads and stolen data (‘compresses it with GZip’ and ‘gunzips the DES-decrypted data’).
• [T1041 ] Exfiltration Over C2 Channel – Stolen data is sent back to the attacker via HTTP POST requests (‘transmitting it to the C2 server’ and ‘POST /browser’, ‘POST /discord’, ‘POST /crypto’).
• [T1119 ] Automated Collection – The malware gathers large sets of data from the victim system (‘collect sensitive data’ including browser, Discord, wallet, and application data).