Navigating the Infostealer Landscape: Understanding PureLogs and Its Implications

The digital age has ushered in unprecedented convenience, but it has also opened the floodgates for cybercriminals. Among the myriad of threats lurking in cyberspace, infostealer malware stands out as a particularly insidious form of attack. The infostealer landscape is crowded and constantly evolving, with countless strains that employ unique methods to compromise systems and exfiltrate sensitive data. This stolen data is a goldmine for threat actors, providing access to a treasure trove of sensitive information—such as usernames, passwords, and credit card numbers stored in victims’ browsers.

The Growing Threat of Infostealers

The low barrier to entry, affordability, and user-friendliness of infostealers mean that even unsophisticated threat actors can readily leverage them, significantly amplifying the risk they pose. In 2023 alone, Flashpoint has observed over 53 million compromised credentials and 13 million infected devices due to infostealer activity. Staying informed about emerging strains, such as PureLogs, is crucial for security professionals navigating today’s threat landscape.

Combatting Credit Card Fraud with Infostealer Data

In response to the growing threat of credit card fraud, Flashpoint has integrated infostealer data into its Fraud Intelligence offerings. This integration aims to provide organizations with enhanced tools to combat fraudulent activities effectively. Read More.

What is PureLogs Infostealer?

PureLogs is a 64-bit information-stealer malware written in C#. It employs multiple stages of assemblies, each packed using the commercial .NET Reactor packer. This stealer is particularly adept at harvesting sensitive data from the Chrome browser, a feature shared by only a few other malware strains, such as Lumma, Vidar, and Meduza.

Techniques, Tactics, and Procedures

PureLogs utilizes various techniques as outlined by the MITRE ATT&CK framework:

• T1140: Deobfuscate/Decode Files or Information
• T1082: System Information Discovery
• T1083: File and Directory Discovery
• T1005: Data from Local System
• T1071: Application Layer Protocol

First appearing for sale on illicit marketplaces in 2022, PureLogs has since been advertised on various underground forums and maintains a presence on the clearnet with a dedicated marketplace. Although direct purchases are no longer facilitated through this website, potential buyers are directed to a Telegram bot for communication and sales inquiries. With prices ranging from USD $99 for one month to $499 for lifetime access, PureLogs is among the cheapest infostealers available.

In addition to the infostealer itself, its creator offers additional “products” for sale, including access to a cryptocurrency miner, clipboard replacement tools, a botnet with DDoS capabilities, and a hidden Virtual Network Computing client.

How PureLogs Works

Understanding the operational mechanics of PureLogs is essential for cybersecurity professionals. The malware operates in three distinct stages:

Stage One: Loading and Execution

The first stage holds a byte array that is decrypted using the Advanced Encryption Standard (AES) algorithm in Cipher Block Chaining (CBC) mode. The AES key and initial value are hardcoded within the binary as Base64 encoded strings. The binary is then decompressed, resulting in a C# Dynamic Link Library (DLL) that is loaded and executed in memory via reflection.

Stage Two: Payload and Anti-Sandbox Checks

The second stage assembly is responsible for anti-sandbox checks and establishing networking before loading the final infostealer assembly. It checks for the presence of specific DLLs and verifies the Parent Process ID (PPID) to ensure it is not running in a sandbox environment. The malware performs multiple WMI queries to gather hardware information and checks for the presence of strings associated with virtual machines. If all checks are passed, PureLogs establishes a connection with the command and control (C2) server, which can route traffic through Tor.

Stage Three: Acquire Data

The third stage assembly contains the core infostealer code. PureLogs is capable of acquiring a wide range of data, including:

• Browsing data from Chrome, Edge, and Opera
• Extensions installed in these browsers
• Information from cryptocurrency wallet applications
• Data from various desktop applications
• Victim machine information

PureLogs can be configured to grab specific folders, files by extension, or files by name and location. Additionally, it can download and execute further payloads from a remote URL. The exfiltrated data can be sent to Telegram, providing threat actors with real-time updates on their victims.

Navigating the Stealer Landscape Using Flashpoint

As the infostealer landscape continues to evolve, PureLogs is poised to gain popularity among threat actors due to its sophisticated evasion techniques and low cost. Understanding the intricacies of such malware is vital for organizations aiming to protect themselves from cyber threats.

The cyber threat landscape is dynamic and complex, with new infostealer strains emerging regularly and threat actors constantly refining their techniques. It is imperative for security teams to have access to timely and comprehensive threat intelligence to stay ahead of these evolving threats. Flashpoint empowers organizations with the insights and tools necessary to navigate this challenging environment. Sign up for a demo today to bolster your cybersecurity defenses.

In conclusion, as infostealer malware like PureLogs becomes increasingly prevalent, understanding its operational mechanics and the broader threat landscape is essential for effective cybersecurity strategies. By staying informed and leveraging advanced threat intelligence, organizations can better protect themselves against these evolving cyber threats.