SteganoAmor Attack Operation

The TA558 hacking group has initiated a fresh campaign, employing steganography to embed harmful code within images. This technique allows them to clandestinely distribute a range of malware tools onto specific systems, evading detection by both users and security software.

Since 2018, TA558 has posed a significant threat, mainly targeting hospitality and tourism entities across the globe, with a notable focus on Latin America. Recently, cybersecurity experts unveiled their latest endeavor, termed 'SteganoAmor,' highlighting its heavy reliance on steganography. Analysis revealed more than 320 attacks associated with this campaign, impacting diverse sectors and countries.

SteganoAmor Begins with the Dissemination of Fraudulent Emails

The attack begins with deceptive emails carrying seemingly harmless document attachments, typically in Excel or Word format, leveraging the CVE-2017-11882 vulnerability. This flaw, which affected the Microsoft Office Equation Editor and was patched in 2017, serves as a common target. These emails are dispatched from compromised SMTP servers to enhance their legitimacy and reduce the likelihood of being blocked.

In instances where an outdated version of Microsoft Office is in use, the exploit triggers the download of a Visual Basic Script (VBS) from the legitimate 'paste upon opening the file.ee' service. Subsequently, this script is executed to retrieve an image file (JPG) containing a base-64 encoded payload. Within the script embedded in the image, PowerShell code facilitates the retrieval of the final payload, concealed within a text file and encoded in reversed base64 format.

Numerous Harmful Threats Deployed as Final Payloads

Researchers have observed numerous iterations of the attack chain, each introducing a diverse range of malware families. Among these are AgentTesla, functioning as spyware capable of keylogging and credential theft; FormBook, specialized in harvesting credentials and executing remote commands; Remcos, enabling remote machine management and surveillance; LokiBot, targeting sensitive data from various applications; Guloader, serving as downloader for secondary payloads, Snake Keylogger, capturing keystrokes and credentials and XWorm, granting remote access to compromised computers.

The final payloads and fraudulent scripts often find refuge in reputable cloud services like Google Drive to exploit their favorable reputation and evade anti-malware detection. Harvested information is transmitted to compromised legitimate FTP servers, masking the traffic to appear normal. Over 320 attacks have been identified, with a primary focus on Latin American countries, though the targeting scope extends globally.

Phishing Remains an Extremely Potent Tool in the Arsenal of Cybercriminals

A string of phishing attacks launched by cybercriminals targeting government organizations across Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan and Armenia have been brought to light by infosec experts. These attacks deploy a malware called LazyStealer, specifically designed to extract credentials from Google Chrome. Researchers are monitoring this series of attacks, collectively referred to as Lazy Koala, named after the purported controller of the Telegram bots that receive the pilfered data.

Furthermore, analysis of the victim demographics and malware characteristics suggests potential connections to another hacking group known as YoroTrooper (also known as SturgeonPhisher). The primary tool utilized by this group is a rudimentary stealer, which employs protective measures to evade detection, hinder analysis, collect all pilfered data, and transmit it via Telegram. Telegram has been increasingly favored by malicious actors as a secure means of communication.