AI Security AI安全 4d ago Updated 3d ago 更新于 3天前 46

Blogspot-Hosted Payloads Delivered in ‘Veil#Drop’ Attacks 博客园托管载荷在“Veil#Drop”攻击中交付

Securonix identified Veil#Drop, a sophisticated multi-stage malware framework leveraging compromised websites and social engineering to deploy information stealers. The attack chain utilizes JavaScript launchers and PowerShell download cradles to fetch payloads from trusted Blogspot infrastructure, employing XOR encoding and reflective .NET loading to evade static analysis. Final payload, PureLog Stealer, harvests extensive sensitive data including browser credentials, cookies, session tokens, a Securonix发现名为Veil#Drop的多阶段恶意软件交付框架,利用被入侵网站和社交工程传播信息窃取者。 攻击链结合JavaScript启动器、PowerShell下载器及托管在Blogspot上的载荷,通过XOR编码和反射.NET加载实现免杀。 最终植入PureLog Stealer,具备广泛的数据采集能力,可窃取浏览器凭证、加密货币钱包及各类应用数据。 该框架滥用微软签名二进制文件和可信云服务,旨在规避传统杀毒软件并减少取证痕迹。 信息窃取通常是更大规模入侵活动的第一步,可能导致勒索软件部署或长期间谍活动。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • Securonix identified Veil#Drop, a sophisticated multi-stage malware framework leveraging compromised websites and social engineering to deploy information stealers.
  • The attack chain utilizes JavaScript launchers and PowerShell download cradles to fetch payloads from trusted Blogspot infrastructure, employing XOR encoding and reflective .NET loading to evade static analysis.
  • Final payload, PureLog Stealer, harvests extensive sensitive data including browser credentials, cookies, session tokens, and cryptocurrency wallet information from multiple applications.
  • The framework employs defense evasion techniques such as process termination, LOLBIN abuse, and fileless execution to minimize forensic artifacts and maintain operational stealth.
  • Infected workstations serve as entry points for broader enterprise compromises, potentially leading to ransomware deployment, data theft, or business email compromise attacks.

Why It Matters

This case highlights the increasing trend of threat actors abusing trusted cloud services like Blogspot to host malicious payloads, making detection significantly harder for traditional security controls. It underscores the critical risk posed by information stealers as initial access brokers in complex intrusion campaigns, necessitating robust monitoring of user behavior and application integrity.

Technical Details

  • Delivery Mechanism: The infection begins with a JavaScript file masquerading as a document, which launches PowerShell code to bypass execution policies and retrieve further payloads from attacker-controlled Blogspot pages.
  • Evasion Techniques: The framework uses XOR-encoded .NET assemblies stored as large embedded data blobs, reconstructed and decrypted at runtime. It also employs reflective .NET loading and fileless execution to avoid signature-based detection.
  • Payload Execution: The Blogspot-hosted payload displays a decoy document, terminates specific security-related processes, and generates additional URLs to execute subsequent stages directly in memory.
  • Data Harvesting: PureLog Stealer targets credentials, cookies, autofill data, and session tokens from major browsers (Chrome, Edge, Firefox, Brave, Opera) and harvests data from messaging apps, email clients, password managers, and crypto wallets.
  • Exfiltration: Harvested data is packaged and sent to attacker-controlled servers in encrypted form, ensuring confidentiality during transmission.

Industry Insight

Security teams should prioritize monitoring for unusual PowerShell activity and script execution from cloud storage platforms, as these are becoming common vectors for initial access. Organizations must implement strict egress filtering and behavioral analytics to detect early-stage credential harvesting and lateral movement attempts initiated by information stealers.

TL;DR

  • Securonix发现名为Veil#Drop的多阶段恶意软件交付框架,利用被入侵网站和社交工程传播信息窃取者。
  • 攻击链结合JavaScript启动器、PowerShell下载器及托管在Blogspot上的载荷,通过XOR编码和反射.NET加载实现免杀。
  • 最终植入PureLog Stealer,具备广泛的数据采集能力,可窃取浏览器凭证、加密货币钱包及各类应用数据。
  • 该框架滥用微软签名二进制文件和可信云服务,旨在规避传统杀毒软件并减少取证痕迹。
  • 信息窃取通常是更大规模入侵活动的第一步,可能导致勒索软件部署或长期间谍活动。

为什么值得看

本文揭示了攻击者如何利用受信任的云基础设施(如Blogspot)和复杂的混淆技术来绕过传统安全防御,为网络安全从业者提供了关于高级持久威胁(APT)初期阶段的最新战术洞察。理解此类多阶段交付机制有助于企业优化检测规则,特别是在应对无文件执行和LOLBIN滥用方面提升防御能力。

技术解析

  • 多阶段交付架构:攻击始于伪装成文档的JavaScript文件,用于触发PowerShell代码以绕过执行策略;PowerShell随后从攻击者控制的Blogspot页面检索额外载荷。
  • 高级混淆与执行:第二阶段加载器包含XOR编码的.NET程序集,作为大型嵌入式数据块存储,并在运行时重构和解密,有效防止静态分析和基于签名的检测。
  • 防御规避机制:利用微软签名的合法二进制文件(LOLBIN)进行代码执行和防御规避,结合反射式.NET加载和无文件执行技术,最大限度减少磁盘上的取证痕迹。
  • PureLog Stealer功能:最终载荷专注于系统侦察和数据窃取,支持从Chrome、Edge、Firefox等多种浏览器中获取凭据、Cookie、自动填充数据和会话令牌,同时扫描加密货币钱包及消息应用、邮件客户端等敏感数据。

行业启示

  • 云基础设施滥用风险:攻击者正日益倾向于利用Google Blogspot等受信任的云服务托管恶意载荷,安全团队需加强对异常流量模式和可疑云存储内容的监控。
  • 检测策略升级:传统的基于签名的防御已难以应对XOR编码和反射加载等技术,企业应转向行为分析和内存检测,重点关注PowerShell脚本执行和异常进程创建。
  • 供应链与凭证管理:鉴于信息窃取往往是大规模入侵的前奏,强化多因素认证(MFA)、定期轮换凭据以及监控异常数据外传行为是遏制后续勒索软件或间谍活动的关键。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Research 科学研究