Threat actors have been observed concealing malicious code in images to deliver malware, such as VIP Keylogger and 0bj3ctivity Stealer, as part of separate campaigns. In both campaigns, attackers hid malicious code in photos uploaded to archive[.]org, a file-hosting website, and used the same .NET loader to install their final payloads. The starting point is a phishing email that masquerades as invoices and purchase orders to trick recipients into opening malicious attachments, such as Microsoft Excel documents, that, when opened, exploits a known security flaw in Equation Editor (CVE-2017-11882) to download a VBScript file.
The script is designed to decode and run a PowerShell script that retrieves an image hosted on archive[.]org. It extracts a Base64-encoded code, which is subsequently decoded into a .NET executable and executed. The .NET executable is a loader that downloads VIP Keylogger from a URL. It runs it, allowing the threat actors to steal a wide range of data from the infected systems, including keystrokes, clipboard content, screenshots, and credentials. VIP Keylogger shares functional overlaps with Snake Keylogger and 404 Keylogger.
A similar campaign has been found to email malicious archive files to targets. These messages, which pose as requests for quotations, aim to lure visitors into opening a JavaScript file within the archive that launches a PowerShell script. Like the previous case, the PowerShell script downloads an image from a remote server, parses the Base64-encoded code within it, and runs the same—NET-based loader. What's different is that the attack chain culminates with deploying an information stealer named 0bj3ctivity.
The parallels between the two campaigns suggest that threat actors leverage malware kits to improve overall efficiency while lowering the time and technical expertise needed to craft the attacks. HP Wolf Security also said it observed bad actors resorting to HTML smuggling techniques to drop the XWorm remote access trojan (RAT) using an AutoIt dropper, echoing prior campaigns that similarly distributed AsyncRAT. "Notably, the HTML files bore hallmarks suggesting that they had been written with the help of GenAI," HP said. "The activity points to the growing use of GenAI in the initial access and malware delivery stages of the attack chain."
Threat actors stand to gain numerous benefits from GenAI, from scaling attacks and creating variations that could increase their infection rates to making attribution by network defenders more difficult. Threat actors have also been noticed creating GitHub repositories advertising video game cheating and modification tools to deploy the Lumma Stealer malware using a .NET dropper. "The campaigns analyzed provided further evidence of the commodification of cybercrime," Alex Holland, principal threat researcher in the HP Security Lab, said. "As malware-by-numbers kits are more freely available, affordable, and easy to use, even novices with limited skills and knowledge can create an effective infection chain."
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments