New campaign leverages PawsRunner steganography loader to deploy PureLogs infostealer via phishing. Attack abuses environment variables, AES/RC4 encryption, and PNG-based steganography to evade detection.

In brief - A sophisticated phishing campaign uses TXZ archives to deliver PawsRunner, a .NET loader that hides encrypted payloads in cat-themed PNGs via steganography. The final payload, PureLogs infostealer, exfiltrates data via AES-encrypted HTTP requests, demonstrating advanced evasion tactics.

Technically - The attack begins with obfuscated JavaScript in environment variables, launching conhost.exe to execute PowerShell. PawsRunner dynamically loads payloads by decrypting RC4-encoded URLs, fetching PNGs with embedded data (iTXt/IEND chunks), and decrypting them to retrieve .NET executables. PureLogs uses AES-256-CBC and Gzip compression, harvesting data asynchronously and exfiltrating via HTTPS to multiple C2 endpoints. The loader bypasses ETW and Windows 11 (24H2) security features, employing reflection and fallback mechanisms.

Source: https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography

#Cybersecurity #ThreatIntel