Blogspot-Hosted Payloads Delivered in ‘Veil#Drop’ Attacks

  Rassegna Stampa, Security
image_pdfimage_print

Securonix has uncovered a sophisticated multi-stage malware delivery framework that uses compromised websites and social engineering to infect users with information stealers.

Dubbed Veil#Drop, the framework combines JavaScript launchers and PowerShell download cradles for the deployment and execution of malware hosted on Blogspot, Google’s trusted infrastructure.

The infection chain begins with a JavaScript file posing as a document, designed to launch PowerShell code and evade execution policies. The PowerShell retrieves additional payloads from attacker-controlled Blogspot pages.

The Blogspot-hosted payload displays a decoy document, terminates specific processes, and decrypts embedded content. The decoded code generates additional Blogspot URLs and executes subsequent payloads directly in memory.

“A second-stage loader contains XOR-encoded .NET assemblies stored as large embedded data blobs that are reconstructed and decrypted at runtime, preventing straightforward static analysis and reducing the effectiveness of signature-based detection mechanisms,” Securonix explains.

The sophisticated infection chain also contains several fallback mechanisms, abusing trusted Microsoft-signed binaries for code execution and defense evasion.

Advertisement. Scroll to continue reading.

“The combination of compromised websites, multi-extension masquerading, trusted cloud services, XOR-obfuscated payloads, reflective .NET loading, fileless execution, and LOLBIN abuse demonstrates a deliberate effort to evade traditional antivirus solutions, reduce forensic artifacts, and maintain operational stealth throughout the infection lifecycle,” Securonix notes.

In the end, the victim’s machine is infected with PureLog Stealer, a .NET-based information stealer that performs system reconnaissance and starts harvesting data from Google Chrome. Microsoft Edge, Firefox, Brave Browser, Opera, and Chromium-based browsers.

The malware targets credentials, cookies, autofill data, session tokens, browsing histories, and other sensitive information stored in the browsers. It also searches for cryptocurrency wallet information on the victim’s machine.

Additionally, PureLog Stealer can harvest information from messaging applications, email clients, remote access software, FTP clients, cloud storage applications, developer tools, and password managers. The malware packages the harvested information and sends it to attacker-controlled servers in an encrypted form.

Given PureLog Stealer’s extensive data harvesting capabilities, a single infected workstation could lead to broader environment compromise, depending on the credentials, tokens, keys, and other secrets stored on the system.

“In enterprise environments, information stealers are frequently the first stage of larger intrusion campaigns. Stolen credentials may later be used to deploy ransomware, conduct data theft operations, perform business email compromise attacks, or facilitate long-term espionage activities,” Securonix notes.

Related: Critical SimpleHelp Vulnerability Exploited for Malware Delivery

Related: CryptoBandits Malware Doubles as a Backdoor, Abuses Tor

Related: Rokarolla Banking Trojan Targets 200 Applications

Related: Infostealers Turn Millions of Devices Into Credential Theft Machines

https://www.securityweek.com/blogspot-hosted-payloads-delivered-in-veildrop-attacks/