EXECUTIVE SUMMARY
The attackers behind this campaign are a group that has been using a combination of social engineering and advanced malware techniques to compromise systems. They have been targeting various sectors, including finance, healthcare, and government, with the primary goal of stealing sensitive data. The attackers use phishing emails with malicious attachments to deliver the malware, which then uses steganography to hide its presence and evade detection.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The attackers behind this campaign are a group that has been using a combination of social engineering and advanced malware techniques to compromise systems. They have been targeting various sectors, including finance, healthcare, and government, with the primary goal of stealing sensitive data. The attackers use phishing emails with malicious attachments to deliver the malware, which then uses steganography to hide its presence and evade detection.[emaillocker id="1283"]
The malware infection chain begins with a phishing email that delivers a TXZ archive, which contains a JavaScript file that uses environment variables to store decoded malicious commands. The JavaScript file then triggers a decrypted steganographic .NET loader, which retrieves the final payload by extracting encrypted data hidden within a cat image. The loader uses a technique to store the malicious commands in environment variables, making it difficult to detect. The malware also uses HTTPS for its C2 communications, making it harder to intercept and analyze.
This threat is significant because it is highly targeted and can be difficult to detect. The use of steganography makes it challenging for traditional security solutions to identify the malware, and the attackers' use of HTTPS for C2 communications makes it harder to intercept and analyze. Organisations should take this threat seriously and take immediate action to protect themselves. This includes patching all systems, monitoring for suspicious activity, and implementing robust endpoint protection. Additionally, organisations should have a robust incident response plan in place in case they are compromised.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Defense Evasion | T1027.003 | Obfuscated Files or Information | Steganography |
| Defense Evasion | T1620 | Reflective Code Loading | — |
| Defense Evasion | T1027.004 | Obfuscated Files or Information | Compile After Delivery |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Collection | T1005 | Data from Local System | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and Control | T1573.002 | Encrypted Channel | Asymmetric Cryptography |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/pawsrunner-steganography-loader-purelogs-infostealer-campaign/
https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography