Full Report
FortiGuard Labs has analyzed a steganography-based malware campaign that uses PawsRunner to deliver the PureLogs infostealer, highlighting evolving delivery methods and detection strategies.
Analysis Summary
# Tool/Technique: PureLogs & PawsRunner Steganography Campaign
## Overview
This campaign utilizes a multi-stage delivery mechanism involving an initial phishing vector to deploy the **PawsRunner** steganography loader. PawsRunner is designed to download and extract malicious payloads hidden within image files (PNG) to deliver the **PureLogs** infostealer. PureLogs is a .NET-based malware family specialized in harvesting sensitive information from compromised Windows environments while utilizing evasion techniques like reflection and headless execution.
## Technical Details
- **Type**: Malware family (PureLogs) and Steganographic Loader (PawsRunner)
- **Platform**: Microsoft Windows
- **Capabilities**: Steganography, fileless execution, credential theft, browser data harvesting, anti-analysis.
- **First Seen**: May 2026 (Per FortiGuard report)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.001 - Phishing: Spearphishing Attachment]
- **[TA0002 - Execution]**
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- [T1059.007 - Command and Scripting Interpreter: JavaScript]
- [T1620 - Reflective Code Loading]
- **[TA0005 - Defense Evasion]**
- [T1027.003 - Obfuscation: Steganography]
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
- [T1134 - Access Token Manipulation]
- **[TA0009 - Collection]**
- [T1539 - Steal Web Session Cookie]
- [T1555 - Credentials from Password Stores]
## Functionality
### Core Capabilities
- **Multi-lingual Obfuscation**: Uses JavaScript with comments in multiple languages to confuse automated analysis.
- **Environment Variable Abuse**: Stores malicious commands in process environment variables to hide the execution chain.
- **Steganographic Extraction**: Downloads PNG files (often featuring cat icons) and extracts hidden encrypted payloads using specific offsets/magic numbers.
- **Fileless Loading**: Utilizes .NET reflection to load assemblies directly into memory without writing the final payload to disk.
### Advanced Features
- **Library Resolution**: Dynamically resolves native API functions to minimize the import table.
- **Network API Rotation**: Cycles through `HttpClient`, `WebClient`, and `WebRequest` to bypass specific network monitoring rules.
- **Headless Execution**: Launches `conhost.exe` and PowerShell with hidden window flags (`-w hidden`) to minimize user visibility.
## Indicators of Compromise
- **File Hashes (SHA256)**:
- 8d0bcde739929fe41a6bcaaa62f7cba802af90b2ba8dea6ed1a4821236cdd588
- 6910d27b9e1dc2229a8c280f5d0cea85146d50274c56a4d9a5b8d1793505b1b9
- 93724f1a9ad3a28c171927fc449ac34dc6ca890f915f00210e8b305577388c6e
- **Network Indicators**:
- **C2 IP**: 5[.]101[.]84[.]202
- **Payload URL**: hxxps://everycarebd[.]com/imagelkjh0987[.]png
- **Behavioral Indicators**:
- Unusually large amounts of data stored in process environment variables.
- PowerShell invoked with `-w hidden` or encoded commands.
- Inbound network requests specifically requesting `image/png` followed by execution of new .NET assemblies.
## Associated Threat Actors
- Currently associated with operators of the **PureLogs** botnet. Specific state-sponsored or named groups were not identified in this report.
## Detection Methods
- **Signature-based**: Deployment of IPS signatures (e.g., Purelogs.Botnet) to block C2 communication.
- **Behavioral**: Monitoring for `conhost.exe` spawned by script engines with hidden windows.
- **Content Inspection**: Scanning for anomalous headers or appended data in PNG files that do not conform to standard image formats.
## Mitigation Strategies
- **Attachment Filtering**: Block or scrutinize unusual archive formats such as TXZ/XZ at the email gateway.
- **Endpoint Hardening**: Restrict PowerShell execution policies and monitor for reflective loading events (Event ID 7045/4688).
- **Security Awareness**: Educate users on invoice-themed phishing lures and the dangers of opening unexpected compressed archives.
- **CDR (Content Disarm and Reconstruction)**: Use CDR tools to strip potential malicious components from incoming documents and media.
## Related Tools/Techniques
- **PawsRunner**: The specific .NET loader that identifies payloads via "cat" icons.
- **PureLogs**: The primary infostealer payload.
- **Reflective Loading**: The technique used to execute code in memory.