Cybersecurity researchers have uncovered a sophisticated new attack campaign where threat actors are leveraging weaponized PNG files to stealthily deliver the PURELOGS infostealer. This commodity malware, readily available on underground forums, is being distributed through a multi-stage attack chain that bypasses traditional security measures by hiding its payload within seemingly innocuous image files hosted on legitimate infrastructure. The discovery highlights an evolving trend of attackers exploiting trusted services and file formats to obfuscate their malicious activities.
The campaign, identified by security analysts at Swiss Post Cybersecurity, begins with deceptive phishing emails that mimic pharmaceutical invoices. These emails contain a malicious ZIP file, initiating a complex infection process. Upon execution, the malware relies on fileless techniques, making it exceptionally difficult for conventional antivirus software to detect. This innovative approach underscores the growing challenge in identifying and neutralizing modern cyber threats that blur the lines between legitimate and malicious digital activities.
The PURELOGS payload is being delivered using a novel method that employs polyglot PNG files. These files are crafted to be both valid image files and containers for malicious code. Threat actors embed Base64-encoded data within the PNG structure, after the officially recognized end of image data. This allows the image to display correctly in standard viewers while concealing the hidden malware. The malware then extracts and decodes this hidden payload, executing it directly in memory without ever touching the disk.
This discovery by Swiss Post Cybersecurity reveals a meticulous layering of obfuscation techniques to ensure the final PURELOGS infostealer payload remains undetected. Louis Schrmann, a Security Analyst at Swiss Post Cybersecurity, detailed the multi-stage loader that meticulously bypasses four distinct layers of obfuscation. The attack chain demonstrates a calculated effort by cybercriminals to combine well-known malware with emergent infrastructure staging techniques, maximizing their chances of successful delivery and evasion.
Detection Evasion Through Polyglot PNG Architecture
The ingenuity of this attack lies in its use of the polyglot PNG file architecture as a primary tool for evading detection. Instead of downloading an executable file from a potentially suspicious domain, which would trigger immediate alerts from network monitoring systems, the PowerShell script in the first stage contacts a reputable website, archive.org. This request for an image file from a trusted source appears entirely benign to network defenders and security tools.
The technical sophistication is further evident in the structure of the weaponized PNG. Threat actors embed their Base64-encoded payload after the Inertional End of Data (IEND) chunk, which formally signifies the conclusion of valid PNG image data according to the format specification. The malicious content is cleverly placed between custom markers, labeled “BaseStart-” and “-BaseEnd,” effectively hiding it within the image file. Crucially, this placement does not prevent the image from rendering perfectly in any standard image viewer, allowing the file to function as a legitimate PNG while simultaneously harboring malicious code.
The malware employs a two-stage extraction process. It uses regular expression pattern matching to locate the hidden content between the custom markers, then Base64-decodes the extracted data. The decoded assembly is then loaded directly into memory using .NET Reflection. This method ensures that the executable form of the malware never resides on the disk, rendering file-based antivirus signatures and hash-based detection entirely ineffective. The PowerShell process initiates a hidden execution environment to run the decoded payload via the Invoke-Expression cmdlet, completing the in-memory execution that circumvents disk-based security controls.
The use of archive.org, a site with a well-established reputation for hosting a vast array of digital content, serves as a powerful camouflage. Attackers are effectively weaponizing trust relationships inherent in legitimate internet infrastructure. This allows their malicious traffic to blend seamlessly with normal internet activity, making it significantly harder for security systems to distinguish between legitimate and malicious data transfers. The financial incentive for such attacks is considerable, with PURELOGS operating as a Malware-as-a-Service, offering subscriptions starting at an accessible $150 per month, thereby democratizing access to potent cybercrime tools for individuals with varying technical proficiencies.
As this campaign demonstrates, the landscape of cyber threats continues to evolve, with threat actors constantly developing novel methods to bypass security measures. Organizations must remain vigilant and adapt their security strategies to account for these advanced techniques, emphasizing layered security approaches that include behavioral analysis and memory scanning to combat fileless malware. The continued use of legitimate services and trusted file formats points to an ongoing arms race between attackers and defenders, where the ability to detect and mitigate novel evasion tactics will be paramount.