Stealthy PureLogs Variant Leverages Process Hollowing and MSBuild.exe for Data Exfiltration
A sophisticated phishing campaign has been identified distributing a highly evasive variant of the PureLogs malware. This iteration distinguishes itself through the use of advanced anti-analysis and evasion tactics, specifically targeting endpoint security by employing process hollowing via legitimate Windows binaries like MsBuild.exe.
The campaign’s primary objective is the silent exfiltration of high-value data, including browser credentials, session tokens, and cryptocurrency assets, all while maintaining a minimal on-disk footprint to bypass traditional signature-based detection.
The Initial Infection Vector: Social Engineering & Script Execution
The attack lifecycle begins with a targeted social engineering phase. Threat actors deploy phishing emails masquerading as legitimate purchase orders. These emails entice victims to download and extract a malicious RAR archive. While modern email gateways may flag some of these lures, the campaign relies on the high success rate of deceptive subject lines to bypass human and technical scrutiny.
Upon extraction, the user triggers an obfuscated JavaScript file. This script serves as a lightweight dropper that performs the following sequence:
- Decrypts an embedded, obfuscated PowerShell payload.
- Drops the payload into the
%TEMP%directory using a randomized filename to evade file-name-based detection. - Executes the script via PowerShell using the
-ExecutionPolicy Bypassflag to circumvent local security restrictions.
The infection chain of the malicious campaign (Source: FortiGuard Labs).
To maintain stealth, the PowerShell payload utilizes an XOR-based decryption routine to decode Base64-encoded data at runtime. By utilizing Invoke-Expression (IEX), the malware executes the decrypted code directly in memory, achieving a “fileless” state that complicates forensic recovery and memory analysis.
Advanced Evasion: Process Hollowing in MSBuild.exe
A critical technical component of this campaign is the transition from a script-based execution to a more robust, resident process. According to technical analysis from FortiGuard Labs, the malware loads a specialized .NET module designed to perform process hollowing.
The malware identifies a legitimate Windows process—specifically MsBuild.exe—and creates it in a suspended state. It then uses a combination of Windows APIs, including CreateProcessA, WriteProcessMemory, and ResumeThread, to unmap the legitimate code and replace the memory space with the malicious payload. This allows the malware to hide its activity under the guise of a trusted Microsoft process, effectively neutralizing many behavior-based endpoint detection and response (EDR) tools.
Execution of the decrypted PowerShell code (Source: FortiGuard).
Once MsBuild.exe is hijacked, a secondary .NET downloader is deployed. This component establishes communication with a Command-and-Control (C2) server to fetch additional plugins. To thwart network inspection, all C2 traffic is protected via AES encryption, utilizing randomized initialization vectors (IVs) to ensure that no two network requests look identical.
Data Exfiltration and the PureLogs Plugin
The terminal stage of the attack involves the deployment of a fileless PureLogs plugin (e.g., zgSGkYYzqVe.dll). This module is heavily protected by commercial .NET obfuscators, making manual reverse engineering exceptionally difficult. Once resident in memory, the plugin performs an aggressive sweep of the host system:
- System Profiling: Collection of OS versions, hardware identifiers, usernames, and active process lists.
- Credential Theft: Direct access to browser SQLite databases to extract login credentials, session cookies, and autofill data.
- Application Hijacking: Targeting Discord authentication tokens to allow for unauthorized account access.
- Financial Theft: Scanning for cryptocurrency wallets to harvest private keys and transaction histories.
- Visual Surveillance: Periodic screenshot capture of the victim’s desktop.
Breaking at the entry point method of the plugin module (Source: FortiGuard).
All harvested data is compressed, encrypted, and exfiltrated via HTTP POST requests to the attacker’s infrastructure. The modular architecture of PureLogs ensures that the attacker can dynamically update their capabilities by pushing new plugins to infected hosts in real-time.
Mitigation Strategies
To defend against this level of sophistication, organizations should move beyond simple signature-based defenses and implement a layered security posture:
- Endpoint Monitoring: Implement strict monitoring for suspicious child processes of
MsBuild.exe,powershell.exe, andcmd.exe. - Script Control: Enforce Constrained Language Mode in PowerShell and utilize AppLocker or Windows Defender Application Control (WDAC) to restrict unauthorized script execution.
- Network Defense: Monitor for unusual outbound HTTP/HTTPS traffic to unknown IP addresses, specifically looking for high-frequency POST requests.
- Email Security: Enhance attachment sandboxing and implement strict rules regarding macro-enabled or compressed files from external sources.
Indicators of Compromise (IOCs)
C2 Infrastructure:
Primary IP/Port: hxxps://77[.]83.39.211:8443
Targeted Endpoints (URLs):
hxxps://77[.]83.39.211:8443/pinghxxps://77[.]83.39.211:8443/pluginhxxps://77[.]83.39.211:8443/userinfohxxps://77[.]83.39.211:8443/browserhxxps://77[.]83.39.211:8443/discordhxxps://77[.]83.39.211:8443/cryptohxxps://77[.]83.39.211:8443/applicationhxxps://77[.]83.39.211:8443/filesearch/reqhxxps://77[.]83.39.211:8443/finish
Note: IP addresses are intentionally defanged to prevent accidental resolution. Re-fang only within controlled environments.