Security researchers at Fortinet FortiGuard Labs have identified a new malspam campaign designed to distribute the Purelogs information stealer. The campaign specifically targets German-speaking users with phishing emails crafted to appear as legitimate invoices.

Dissecting the Infection Chain

The attack begins with a malspam email written in German, using the subject line “Bitte bestätigen Sie die Angaben in der angehängten Rechnung,” which translates to “Please confirm the information in the attached invoice.” Attached to this email is an ISO file named “Rechnung-Nr-6169055.iso”.

Inside the ISO image is a single LNK file, “Rechnung-Nr-6169055.pdf.lnk.” When a user clicks this shortcut file, it executes a PowerShell command. This command utilizes the certutil utility to download a ZIP archive named “WEXT.zip” from a remote server. The script then extracts the archive’s contents to the temporary folder (%temp%) and runs an executable file, “wext.exe”.

Purelogs Payload Analysis and Data Exfiltration

The “wext.exe” file is a heavily obfuscated .NET dropper that deploys the final payload: the Purelogs infostealer. Purelogs is also a .NET binary designed for comprehensive data theft. It gathers a wide range of information from an infected system, including OS details, CPU, RAM, and GPU specifications.

The stealer targets credentials, cookies, autofill data, credit card details, and browsing history from more than 30 Chromium-based web browsers. It also seeks out data from cryptocurrency wallets, messaging applications, and FTP clients such as FileZilla and WinSCP. To maintain its presence on the system, Purelogs creates a scheduled task to run itself every 10 minutes. All stolen data is compressed into a ZIP file and exfiltrated to a command-and-control (C2) server using an HTTP POST request.

Source: https://securityaffairs.com/185066/cyber-crime/dissecting-a-new-malspam-chain-delivering-purelogs-infostealer.html