Introduction
Cybercriminals are constantly evolving their tactics, and one recent method involves concealing malicious code within images. This technique has been used to deliver malware such as VIP Keylogger and 0bj3ctivity Stealer, as observed in separate campaigns. By leveraging legitimate file-hosting platforms and advanced malware kits, attackers are making their schemes more efficient and harder to detect. This article delves into these campaigns, highlighting their methods, tools, and implications for cybersecurity.
The Attack Vector: Phishing Emails and Exploits
The starting point for these campaigns is a phishing email disguised as invoices or purchase orders. These emails contain malicious attachments, often in the form of Microsoft Excel documents. When opened, these documents exploit a known vulnerability in Microsoft Equation Editor (CVE-2017-11882) to download a VBScript file. This script decodes and executes a PowerShell command designed to retrieve an image from the file-hosting site archive[.]org.
Within the retrieved image lies Base64-encoded code, which is decoded into a .NET executable. This executable acts as a loader to deploy VIP Keylogger, a tool that collects sensitive data such as keystrokes, clipboard content, screenshots, and credentials. VIP Keylogger exhibits functionality similar to other keyloggers like Snake Keylogger and 404 Keylogger.
Information Stealers and Alternative Attack Chains
A related campaign employs a similar strategy but targets victims with malicious archive files sent via email. These messages, posing as quotation requests, prompt users to open a JavaScript file within the archive. This file launches a PowerShell script that downloads and processes an image containing encoded malware. In this case, the attack culminates with the deployment of the 0bj3ctivity information stealer, a tool designed to exfiltrate sensitive data.
The similarities between these campaigns underscore a common trend: attackers are utilizing pre-built malware kits to streamline operations. This approach reduces the time and technical expertise required to execute sophisticated attacks.
Advanced Techniques: HTML Smuggling and GenAI
HP Wolf Security has identified additional methods used by threat actors, including HTML smuggling. This technique enables attackers to bypass traditional security measures by embedding malicious payloads within HTML files. For example, bad actors have used AutoIt droppers to deploy XWorm remote access trojans (RATs) and distributed AsyncRAT in prior campaigns.
Furthermore, some HTML files bear signs of being created with Generative AI (GenAI). This use of AI allows attackers to scale their campaigns, introduce variations to evade detection, and complicate attribution by cybersecurity professionals.
Leveraging GitHub for Malware Distribution
Another notable tactic involves creating GitHub repositories that advertise video game cheat and modification tools. These repositories serve as a front to deliver malware like Lumma Stealer via .NET droppers. This strategy not only broadens the reach of these campaigns but also exploits the trust many users place in GitHub as a legitimate platform.
The Commodification of Cybercrime
The analyzed campaigns highlight the increasing commodification of cybercrime. Malware kits are becoming more accessible, affordable, and user-friendly, enabling even inexperienced individuals to construct effective infection chains. According to Alex Holland, principal threat researcher at HP Security Lab, this trend underscores the growing availability of "malware-by-numbers" solutions that democratize cybercrime.
Conclusion
The use of images to conceal malware is a stark reminder of the ingenuity and adaptability of cybercriminals. By leveraging file-hosting platforms, pre-built malware kits, and advanced tools like GenAI, attackers are scaling their operations and evading traditional defenses. As these threats evolve, cybersecurity professionals must remain vigilant, employing advanced detection techniques and fostering awareness among users to mitigate risks.
0 Comments