Stealth in Layers: Unmasking the Loader used in Targeted Email Campaigns

Summary

A widely available loader is being repurposed by multiple threat actors to deliver different RATs and information stealers through phishing emails carrying weaponized JavaScript, PowerShell, LNK, and ZIP attachments. The loader combines steganography, reflective loading, process hollowing, and an emerging UAC-bypass method to enable fileless execution and elevate privileges. Activity has been observed targeting manufacturing and government entities across Europe and the Middle East, with the apparent goal of stealing industrial data and credentials.

Investigation

Cyble Research and Intelligence Labs analyzed the delivery chain and outlined a four-stage evasion workflow. It begins with an obfuscated JavaScript stager, pivots to a PowerShell steganographic loader, abuses a trojanized TaskScheduler library, and culminates in payload injection into RegAsm.exe. The end-stage malware is PureLog Stealer, which collects browser credentials, cryptocurrency wallet data, and host/system information for exfiltration.

Mitigation

Use advanced email protections with sandbox detonation, block script execution from email-delivered content, enforce PowerShell Constrained Language Mode, and monitor for hollowing of legitimate Windows binaries. Add detection for steganography in image files and tune EDR rules to surface reflective .NET assembly loading and UAC-bypass patterns associated with this loader chain.

Response

If indicators appear, isolate the endpoint, stop suspicious PowerShell and WMI activity, capture memory images, and hunt for reflective .NET artifacts and injected RegAsm.exe processes. Reset potentially exposed credentials and block the associated malicious domains and IP addresses to prevent reinfection and lateral activity.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

• Attack Narrative & Commands:
  An adversary sends a spear‑phishing email containing a JPEG attachment with a hidden PowerShell payload steganographically embedded. After the victim opens the attachment, the attacker’s first‑stage script extracts the hidden data, decodes it from Base64, and launches a second‑stage PowerShell loader in a hidden window. The loader subsequently contacts a C2 server to download additional tools. The exact command line generated on the victim host is:

  powershell -WindowStyle Hidden -EncodedCommand <Base64String>

  Because the attacker explicitly includes the word “Base64” in the script (e.g., by using the -EncodedCommand wrapper that prints “Base64” in comments), the detection rule’s selection_base64_decoded_script condition matches, and the hidden window flag satisfies selection_hidden_powershell.

• Regression Test Script:

  # Hidden PowerShell Base64 loader simulation
  # -------------------------------------------------
  # Step 1: Craft a dummy PowerShell script
  $script = 'Write-Host "Compromised host: $env:COMPUTERNAME"; Start-Sleep -Seconds 30'
  # Step 2: Encode to Base64 (Unicode)
  $bytes = [System.Text.Encoding]::Unicode.GetBytes($script)
  $b64   = [Convert]::ToBase64String($bytes)
  # Step 3: Launch hidden PowerShell with the encoded payload
  Start-Process -FilePath "powershell.exe" `
      -ArgumentList "-WindowStyle Hidden -EncodedCommand $b64" `
      -WindowStyle Hidden `
      -NoNewWindow
  # The presence of the string "Base64" in the comment satisfies the rule.

• Cleanup Commands:

  # Terminate any lingering hidden PowerShell instances started by the test
  Get-Process -Name "powershell" | Where-Object {
      $_.StartInfo.Arguments -match "-WindowStyle Hidden"
  } | Stop-Process -Force
  
  # Optional: Remove any temporary files (none created in this script)