Threat actors have been observed hiding malicious code in images to deliver malware such as VIP Keylogger and 0bj3ctivity Stealer within separate campaigns.
“At both companies, the attackers hid malicious code in images they uploaded to archive(.)org, a file hosting website, and used the same .NET loader to install the final payloads,” HP Wolf Security. said in its Q3 2024 Threat Report shared with The Hacker News.
The starting point is a phishing email that disguises itself as invoices and purchase orders to trick recipients into opening malicious attachments, such as Microsoft Excel documents, which when opened exploit a known security flaw in equation editors (CVE-2017-11882) to download the VBScript file.
The script, in turn, is designed to decode and run a PowerShell script that extracts the image hosted on archive(.)org and extracts the Base64-encoded code, which is then decoded into a .NET executable and executed.
The executable .NET file serves as a bootloader to download VIP Keylogger from a specified URL and launch it, allowing threat actors to steal a wide range of data from infected systems, including keystrokes, clipboard contents, screenshots, and credentials. VIP Keylogger Promotions functional matches with Snake Keylogger and 404 Keylogger.
A similar company was found to be sending malicious archive files via email. These messages, which look like quote requests, aim to lure visitors into opening a JavaScript file in the archive, which then runs a PowerShell script.
As in the previous case, the PowerShell script loads the image from the remote server, parses the Base64-encoded code in it, and runs the same .NET-based loader. The difference is that the chain of attacks ends with the deployment of an information stealer called 0bj3ctivity.
The parallels between the two companies suggest that threat actors are using malware stacks to increase overall efficiency while reducing the time and technical expertise required to create attacks.
HP Wolf Security also said it has noticed what malicious actors are resorting to Contraband HTML methods of falling XWorm remote access trojan (RAT) using the AutoIt dropper, echoing previous campaigns that distributed AsyncRAT in a similar fashion.
“Notably, the HTML files had indications that they were written with GenAI,” HP said. “These actions point to the increasing use of GenAI in the initial access and delivery stages of malware in the attack chain.”
“Indeed, threat actors can gain many benefits from GenAI, from scaling attacks and creating variations that can increase their infection rate, to making attribution more difficult for network defenders.”
That’s not all. Threat actors have been seen creating GitHub repositories promoting cheats and game modding tools to deploy the Lumma Stealer malware using a .NET dropper.
“The campaigns analyzed provide further evidence of the commoditization of cybercrime,” said Alex Holland, principal threat researcher at HP Security Lab. “Because number-by-number malware kits are more accessible, affordable and easy to use, even novices with limited skills and knowledge can put together an effective infection chain.”
