VEIL#DROP: Abusing Blogger Infrastructure to Distribute PureLogs
Just came across the Securonix report on the VEIL#DROP malware chain, and it’s a stark reminder of why we can’t trust domains based solely on reputation. The campaign is utilizing Blogger—a Google-owned platform—to distribute the PureLogs information stealer.
What makes this tricky is the multi-stage nature. The initial payload isn't a direct binary executable but likely an obfuscated script hosted on a legitimate-looking blogspot page. Once a user lands there (either via a drive-by download or phishing link), the chain triggers. PureLogs is particularly nasty because it targets a wide range of browsers (Chrome, Edge, Firefox) and siphons off cryptocurrency wallet data and cookies.
Detection is difficult because blogspot.com is whitelisted in most orgs. We need to focus on the behavioral artifacts. PureLogs typically exfiltrates data via Telegram or Discord webhooks, but the C2 check-in often happens through these parked subdomains.
I’ve updated our detection logic to flag when a browser process spawns a shell that reaches out to Blogger subdomains. Here is a PowerShell snippet you can use for triage on endpoints to identify suspicious connections to these domains:
Get-NetTCPConnection | Where-Object { $_.State -eq "Established" } | ForEach-Object {
$process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
$remoteIP = $_.RemoteAddress
try {
$hostEntry = [System.Net.Dns]::GetHostEntry($remoteIP)
if ($hostEntry.HostName -match "blogspot\.com") {
[PSCustomObject]@{
Process = $process.ProcessName
PID = $process.Id
RemoteHost = $hostEntry.HostName
Timestamp = Get-Date
}
}
} catch {}
}
For those hunting this, are you seeing persistence primarily via Registry Run keys, or have you observed them abusing Scheduled Tasks to bypass User Access Control?
We caught a similar variant last month targeting our marketing team. The hardest part was the drive-by nature; users didn't even have to click a download button, just a malicious ad redirect on a sketchy news site. We ended up blocking access to blogspot.com via our secure web gateway for non-IT departments. It caused some noise with legitimate research, but the risk of PureLogs exfiltrating 2FA tokens was too high.
Nice catch on the PowerShell script. We found that PureLogs often uses curl or wget (invoked via PowerShell) to fetch the next stage from the Blogger page content. Another IoC to look for is high CPU usage from a dotnet process located in AppData\Local\Temp. We added this YARA rule to our EDR to catch the obfuscated dropper:
rule PureLogs_Generic {
meta:
description = "Detects PureLogs Stealer characteristics"
author = "SecurityArsenal"
strings:
$s1 = "blogspot" nocase
$s2 = "telegram" nocase
$s3 = { 48 8B C4 55 56 57 41 54 41 55 } // Common prolog
condition:
2 of them
}
From a Blue Team perspective, this is a nightmare for allow-listing. We've moved to inspecting TLS traffic, but that's resource-intensive. One thing we noticed is that the Blogger pages used in VEIL#DROP often have very low word counts and high ratios of encoded text. We wrote a simple Python script to scrape our proxy logs for blogspot URLs that return content with >50% non-ASCII characters, which helped us flag the C2 channels before the payload executed.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access