Risk actors have been noticed concealing malicious code in photographs to ship malware resembling VIP Keylogger and 0bj3ctivity Stealer as a part of separate campaigns.
“In each campaigns, attackers hid malicious code in photographs they uploaded to archive[.]org, a file-hosting web site, and used the identical .NET loader to put in their ultimate payloads,” HP Wolf Safety stated in its Risk Insights Report for Q3 2024 shared with The Hacker Information.
The start line is a phishing e-mail that masquerades as invoices and buy orders to trick recipients into opening malicious attachments, resembling Microsoft Excel paperwork, that, when opened, exploits a recognized safety flaw in Equation Editor (CVE-2017-11882) to obtain a VBScript file.
The script, for its half, is designed to decode and run a PowerShell script that retrieves a picture hosted on archive[.]org and extracts a Base64-encoded code, which is subsequently decoded right into a .NET executable and executed.
The .NET executable serves as a loader to obtain VIP Keylogger from a given URL and runs it, permitting the risk actors to steal a variety of knowledge from the contaminated techniques, together with keystrokes, clipboard content material, screenshots, and credentials. VIP Keylogger shares purposeful overlaps with Snake Keylogger and 404 Keylogger.
The same marketing campaign has been discovered to ship malicious archive recordsdata to targets by e-mail. These messages, which pose as requests for quotations, intention to lure guests into opening a JavaScript file inside the archive that then launches a PowerShell script.
Like within the earlier case, the PowerShell script downloads a picture from a distant server, parses the Base64-encoded code inside it, and runs the identical .NET-based loader. What’s totally different is that the assault chain culminates with the deployment of an info stealer named 0bj3ctivity.
The parallels between the 2 campaigns counsel that risk actors are leveraging malware kits to enhance the general effectivity, whereas additionally decreasing the time and technical experience wanted to craft the assaults.
HP Wolf Safety additionally stated it noticed dangerous actors resorting to HTML smuggling strategies to drop the XWorm distant entry trojan (RAT) by the use of an AutoIt dropper, echoing prior campaigns that distributed AsyncRAT similarly.
“Notably, the HTML recordsdata bore hallmarks suggesting that that they had been written with the assistance of GenAI,” HP stated. “The exercise factors to the rising use of GenAI within the preliminary entry and malware supply levels of the assault chain.”
“Certainly, risk actors stand to realize quite a few advantages from GenAI, from scaling assaults and creating variations that might enhance their an infection charges, to creating attribution by community defenders tougher.”
That is not all. Risk actors have been noticed creating GitHub repositories promoting online game cheat and modification instruments in an effort to deploy the Lumma Stealer malware utilizing a .NET dropper.
“The campaigns analyzed present additional proof of the commodification of cybercrime,” Alex Holland, principal risk researcher within the HP Safety Lab, stated. “As malware-by-numbers kits are extra freely obtainable, reasonably priced, and straightforward to make use of, even novices with restricted expertise and data can put collectively an efficient an infection chain.”
