An exposé has brought to light an intricate operation engineered by the TA558 hacking group, known for its previous focus on the hospitality and tourism sectors. This new offensive, dubbed "SteganoAmor," employs steganography, a technique of concealing malicious code within seemingly harmless image files, to infiltrate targeted systems worldwide. Positive Technologies, the cybersecurity firm behind the discovery, has identified over 320 instances of this attack affecting various organisations across different sectors and countries.
How SteganoAmor Attacks Work
SteganoAmor attacks start with sneaky emails that look harmless but contain files like Excel or Word documents. These files take advantage of a weakness in Microsoft Office called CVE-2017-11882, which was fixed in 2017. When someone opens these files, they unknowingly download a Visual Basic Script (VBS) from a source that seems real. This script then fetches an image file (JPG) that hides a secret payload encoded in base64 format.
Diverse Malware Payloads
The hidden payload serves as a gateway to various malware families, each with distinct functionalities:
1. AgentTesla: A spyware capable of keylogging, credential theft, and capturing screenshots.
2. FormBook: An infostealer malware adept at harvesting credentials, monitoring keystrokes, and executing downloaded files.
3. Remcos: A remote access tool enabling attackers to manage compromised machines remotely, including activating webcams and microphones.
4. LokiBot: Another infostealer focusing on extracting sensitive information from commonly used applications.
5. Guloader: It serves as a downloader in cyberattacks, distributing secondary payloads to evade antivirus detection.
6. Snake Keylogger: Snake Keylogger is malware designed to steal data by logging keystrokes, capturing screenshots, and harvesting credentials from web browsers.
7. XWorm : It functions as a Remote Access Trojan (RAT), granting attackers remote control over compromised computers for executing commands and accessing sensitive information.
To evade detection, the final payloads and malicious scripts are often stored in reputable cloud services like Google Drive. Additionally, stolen data is transmitted to compromised FTP servers, masquerading as normal traffic.
Protective Measures
Despite the complexity of the attack, safeguarding against SteganoAmor is relatively straightforward. Updating Microsoft Office to the latest version eliminates the vulnerability exploited by the attackers, rendering their tactics ineffective.
Global Impact
While the primary targets seem concentrated in Latin America, the reach of SteganoAmor extends worldwide, posing a significant threat to organisations globally.
As these threats are taking new shape and form, staying aware and implementing timely updates remain crucial defences against cyber threats of any capacity.