Home Security TA558 Hackers Weaponize Images for Wide-Scale Malware Attacks

TA558 Hackers Weaponize Images for Wide-Scale Malware Attacks

by crpt os


Apr 16, 2024NewsroomThreat Intelligence / Endpoint Security

The threat actor tracked as TA558 has been observed leveraging steganography as an obfuscation technique to deliver a wide range of malware such as Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm, among others.

“The group made extensive use of steganography by sending VBSs, PowerShell code, as well as RTF documents with an embedded exploit, inside images and text files,” Russian cybersecurity company Positive Technologies said in a Monday report.

The campaign has been codenamed SteganoAmor for its reliance on steganography and the choice of file names such as greatloverstory.vbs and easytolove.vbs.

A majority of the attacks have targeted industrial, services, public, electric power, and construction sectors in Latin American countries, although companies located in Russia, Romania, and Turkey have also been singled out.

Cybersecurity

The development comes as TA558 has also been spotted deploying Venom RAT via phishing attacks aimed at enterprises located in Spain, Mexico, the United States, Colombia, Portugal, Brazil, Dominican Republic, and Argentina.

It all starts with a phishing email containing a booby-trapped email Microsoft Excel attachment that exploits a now-patched security flaw in Equation Editor (CVE-2017-11882) to download a Visual Basic Script that, in turn, fetches the next-stage payload from paste[.]ee.

The obfuscated malicious code takes care of downloading two images from an external URL that come embedded with a Base64-encoded component that ultimately retrieves and executes the Agent Tesla malware on the compromised host.

Malware Attacks

Beyond Agent Tesla, other variants of the attack chain have led to an assortment of malware such as FormBook, GuLoader, LokiBot, Remcos RAT, Snake Keylogger, and XWorm, which are designed for remote access, data theft, and delivery of secondary payloads.

The phishing emails are sent from legitimate-but-compromised SMTP servers to lend the messages a little credibility and minimize the chances of them getting blocked by email gateways. In addition, TA558 has been found to use infected FTP servers to stage the stolen data.

The disclosure comes against the backdrop of a series of phishing attacks targeting government organizations in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia with a malware dubbed LazyStealer to harvest credentials from Google Chrome.

Cybersecurity

Positive Technologies is tracking the activity cluster under the name Lazy Koala in reference to the name of the user (joekoala), who is said to control the Telegram bots that receive the stolen data.

That said, the victim geography and the malware artifacts indicate potential links to another hacking group tracked by Cisco Talos under the name YoroTrooper (aka SturgeonPhisher).

“The group’s main tool is a primitive stealer, whose protection helps to evade detection, slow down analysis, grab all the stolen data, and send it to Telegram, which has been gaining popularity with malicious actors by the year,” security researcher Vladislav Lunin said.

The findings also follow a wave of social engineering campaigns that are designed to propagate malware families like FatalRAT and SolarMarker.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex