Copyright Complaint Lures Linked to New PureLog Stealer Credential Theft Wave

Criminals are actively deploying the PureLog Stealer malware through a sophisticated, multi-stage assault campaign that disguises itself as legitimate copyright infringement notifications.

This data-stealing malware operates silently to extract sensitive information, including browser credentials, browser extensions, cryptocurrency wallet details, and comprehensive system data.

The attack specifically targets organizations in the healthcare, government, education, and hospitality sectors across Germany, Canada, the United States, and Australia.

 Infection chain of the attack (Source: Trendmicro)

Security defenses now use specialized detection models monitoring suspicious executable downloads originating from URLs containing targeted advertising tracking parameters.

The Multi-Stage Infection Chain

According to Trend Micro, the attack sequence begins when a victim executes a malicious file disguised as a legal intellectual property document.

To avoid immediate detection, the malware executes a benign decoy PDF while the malicious payload operates silently in the background.

The malware uses the system command-line tool curl, with the custom “curl/meow_meow” user-agent string, to download an encrypted payload masquerading as an invoice PDF.

Instead of storing the decryption password locally, the malware dynamically retrieves this key from a remote command-and-control server.

This remote key retrieval prevents easy analysis of the payload without active network access and enables operators to closely control payload retrieval.

Upon obtaining the password, the malware extracts the encrypted payload using a renamed WinRAR application disguised as a standard PNG image file.

Advanced Evasion and Loader Capabilities

Following extraction, the malware securely erases staging files and shifts operations into a public Windows directory to mimic legitimate system behavior.

It subsequently executes a fileless Python loader. This loader, renamed as a standard Windows service host component, runs an obfuscated Python script labeled deceptively as a PDF instruction manual.

This Python loader features advanced capabilities specifically designed to bypass modern security measures.

Malicious Lure download from an unknown source (Source: Trendmicro)

It directly patches the Antimalware Scan Interface in memory to disable security scanning.

The loader establishes registry persistence under the current user to ensure automatic execution upon each system login.

It also conducts comprehensive system fingerprinting by enumerating antivirus products and captures full-screen desktop images, storing the resulting files entirely in memory before exfiltration.

In its final stage, the Python script concurrently launches two identical .NET loaders, providing built-in operational redundancy.

 Infection chain for PureLog Stealer (Source: Trend Micro)
 Infection chain for PureLog Stealer (Source: Trend Micro)

These loaders are heavily protected by ConfuserEx, an advanced obfuscator that fragments application control flow to hinder static analysis.

They utilize Triple-DES encryption and GZip compression algorithms to successfully decrypt the final payload.

The PureLog Stealer is then reflectively loaded directly into system memory.

By executing entirely within the managed memory heap and writing no operational files to the physical hard drive, the malware evades traditional endpoint detection tools monitoring standard file creation events.

Indicators of Compromise (IOCs)

Indicator Type Value Description
SHA-256 35efc4b75a1d70c38513b4dfe549da417aaa476bf7e9ebd00265aaa8c7295870 Malicious ZIP Archive Lure
SHA-256 1539dab6099d860add8330bf2a008a4b6dc05c71f7b4439aebf431e034e5b6ff Malicious Executable Lure
SHA-256 ac591adea9a2305f9be6ae430996afd9b7432116f381b638014a0886a99c6287 Shellcode Loader (urlmon.dll)
Domain quickdocshare[.]com Payload Hosting & Key Retrieval
Domain logs[.]bestshopingday[.]com PureLog Stealer C&C Infrastructure
IP Address 166.0.184.127 PureLog Stealer C&C Server
IP Address 64.40.154.96 Outbound Connection Target

Related Articles

Back to top button