VEIL#DROP Malware Chain Exploits Blogger to Deploy PureLogs Information Stealer
Cybersecurity experts have identified a sophisticated multi-stage malware delivery system that leverages social engineering tactics and Blogger pages to deploy an information stealer known as PureLogs. This attack chain, dubbed VEIL#DROP by Securonix, signifies a troubling evolution in malware distribution methods, utilizing trusted platforms to bypass security measures.
Overview of the VEIL#DROP Attack Chain
The VEIL#DROP malware chain is suspected to initiate through spear-phishing campaigns or drive-by compromises, where unsuspecting users inadvertently visit websites controlled by attackers. The infection process begins with a JavaScript file disguised as a document (e.g., transcript.pdf.js), which executes via Windows Script Host. This action triggers PowerShell with execution policy bypasses enabled, facilitating further malicious activities.
According to researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee, the PowerShell script retrieves a next-stage payload hosted on a Blogger site, specifically “htlwub00klocate.blogspot.com.” This tactic allows attackers to exploit Google’s trusted infrastructure, effectively blending malicious activities with legitimate web traffic.
The Role of PowerShell in the Infection Process
The PowerShell payload serves as a conduit for loading seemingly benign web pages, such as Google, creating the illusion that a PDF document is being opened. Meanwhile, the infection process continues unnoticed in the background, ultimately leading to the deployment of PureLogs Stealer. This .NET-based infostealer is adept at harvesting sensitive data from compromised systems.
The PowerShell loader is designed to ensure unrestricted execution of subsequent commands. It terminates processes like “wscript.exe” to minimize forensic traces, deletes the initial JavaScript file to eliminate evidence, and decrypts embedded payloads. Following successful XOR decryption, the loader transitions into a highly evasive component of the VEIL#DROP framework, characterized by dynamic stage generation and runtime mutation.
Evasion Techniques Employed by VEIL#DROP
Securonix highlights that the malware avoids static indicators, such as hard-coded URLs, by dynamically constructing the next-stage payload location during execution. Each execution generates a unique blogspot.com URL by inserting a random number of forward slashes, thereby circumventing static URL signatures and filtering mechanisms.
Additionally, the decoded script employs runtime mutation and polymorphism, replacing placeholder values with randomly generated strings during execution. This variability is intended to thwart detection efforts by traditional antivirus solutions. The reconstructed script is executed entirely in memory, leaving no artifacts on disk, which enhances its stealth.
Fallback Execution Methods
In scenarios where security controls prevent direct execution of recovered .NET assemblies from memory, the loader incorporates fallback methods using Microsoft-signed binaries. These include “regsvcs.exe,” “installutil.exe,” “msbuild.exe,” and “aspnet_compiler.exe.” By relying on these trusted binaries, attackers can further obscure their activities and evade detection.
The researchers note that the loader does not depend on any single living-off-the-land (LotL) binary. Instead, it employs a cascading execution model, attempting various methods until one succeeds. This approach enhances the malware’s resilience against detection and mitigation efforts.
Broader Implications of PureLogs Deployment
The ramifications of a PureLogs infection extend beyond the initially compromised endpoint. The data harvested can facilitate deeper infiltration into the target environment, enabling attackers to establish persistence, conduct lateral movement, and potentially breach cloud infrastructure.
Securonix emphasizes that the combination of compromised websites, multi-extension masquerading, trusted cloud services, XOR-obfuscated payloads, reflective .NET loading, and fileless execution illustrates a deliberate strategy to evade traditional security measures. This operational stealth is maintained throughout the infection lifecycle, posing significant risks to organizations.
The emergence of the VEIL#DROP malware chain underscores the need for enhanced vigilance and adaptive security measures in the face of evolving cyber threats. Organizations must prioritize robust defenses against sophisticated attack vectors that exploit trusted platforms and social engineering tactics.
For further insights into this evolving threat landscape, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.


