Hackers Use Images to Conceal Malware, Deploy VIP Keylogger and 0bj3ctivity Stealer
Cybercriminals are taking their stealth tactics to the next level by embedding malicious code in image files to deliver malware such as VIP Keylogger and 0bj3ctivity Stealer, according to HP Wolf Security’s Threat Insights Report for Q3 2024. These sophisticated campaigns exploit trusted platforms like Archive.org to distribute malware while bypassing traditional detection methods.
Table of Contents
How the Attack Works: Malware Hidden in Images
The campaigns begin with a phishing email designed to deceive victims into opening malicious attachments. These emails often mimic invoices or purchase orders to build credibility. Once opened, the attachment triggers an exploit for the outdated Microsoft Equation Editor vulnerability (CVE-2017-11882) to download a VBScript file.
The Attack Chain
- Phishing Email: Victims receive a deceptive email containing malicious attachments.
- VBScript Execution: The downloaded VBScript runs a PowerShell script.
- Image Retrieval: PowerShell downloads an image from Archive.org.
- Malicious Code Extraction: The image contains Base64-encoded malware that is extracted and decoded into a .NET executable.
- Payload Delivery: The .NET loader installs the final malware payload.
In the first campaign, this payload is VIP Keylogger, a tool designed to capture keystrokes, clipboard content, screenshots, and credentials. In the second campaign, the payload is 0bj3ctivity Stealer, an information-stealing malware.
Malware Kits Lower the Barrier for Attackers
The similarities between the two campaigns indicate that cybercriminals are leveraging malware kits. These kits streamline the attack process, reducing the technical expertise required to execute complex infection chains. This trend reflects the increasing commodification of cybercrime, where pre-built tools make it easier for even novice attackers to deploy malware.
Additional Techniques in Use
HP Wolf Security also identified HTML smuggling as a complementary tactic. In this method, attackers deliver malware like the XWorm RAT using AutoIt droppers hidden in malicious HTML files. Some of these files were reportedly generated using GenAI tools, showcasing how artificial intelligence is being used to enhance malware delivery and obfuscation.
GitHub Campaigns Deliver the Lumma Stealer
Another noteworthy campaign involved the use of GitHub repositories that posed as sources for video game cheats and modification tools. These repositories secretly distributed Lumma Stealer malware via .NET-based droppers, highlighting how attackers exploit popular platforms to target unsuspecting users.
Why Image-Based Attacks are Threatening
Embedding malware in images is a technique known as steganography, which hides malicious code in seemingly innocuous files. This method bypasses many antivirus systems, which are less likely to scrutinize image files. The use of trusted hosting platforms like Archive.org further complicates detection efforts.
Mitigation Strategies for Organizations
To defend against these evolving threats, organizations should implement the following measures:
- Patch Known Vulnerabilities: Address outdated software vulnerabilities like CVE-2017-11882.
- Enable Advanced Threat Detection: Use solutions capable of detecting steganography and suspicious file behavior.
- Educate Employees: Train staff to recognize phishing emails and avoid opening unexpected attachments.
- Limit Access to Trusted Sources: Restrict the use of file-sharing platforms to approved domains.
The Growing Commodification of Cybercrime
As malware kits become more accessible, attackers of all skill levels can assemble effective infection chains. The integration of AI tools in malware creation further amplifies the challenge for cybersecurity defenders, making attacks more varied and harder to attribute.
HP Wolf Security’s findings underscore the urgency of staying ahead of these evolving threats. By adopting proactive defense strategies and monitoring emerging tactics, organizations can better safeguard their networks against these sophisticated campaigns.