SteganoAmor’s Steganographic Attacks Hit 320 Organizations Worldwide
The TA558 hacking group has initiated a fresh campaign, embedding malicious code within images through steganography to distribute diverse malware tools onto specific systems.
Steganography entails the concealment of data within apparently harmless files to render them undetectable by users and security software.
Active since 2018, TA558 is a threat actor notorious for its focus on hospitality and tourism organizations globally, particularly in Latin America.
Dubbed “SteganoAmor” for its heavy reliance on steganography, the group’s latest campaign was uncovered by Positive Technologies. Researchers have identified over 320 attacks in this campaign, impacting various sectors and countries.
SteganoAmor Assaults
The attack was initiated with malicious emails containing harmless document attachments (Excel and Word files) exploiting the CVE-2017-11882 vulnerability, a well-known Microsoft Office Equation Editor flaw addressed in 2017.
These emails are dispatched from compromised SMTP servers to reduce the likelihood of message blocking, appearing to originate from legitimate domains.
For systems with outdated Microsoft Office versions, the exploit triggers the download of a Visual Basic Script (VBS) from the legitimate service ‘paste upon opening the file. ee.’ This script is then activated to retrieve an image file (JPG) containing a base-64 encoded payload.
Embedded PowerShell code within the script retrieves the final payload concealed within a text file, presented as a reversed base64-encoded executable.
Positive Technologies has detected various iterations of this attack chain, distributing an assortment of malware families:
- AgentTesla: Spyware functioning as a keylogger and credential stealer, capturing keystrokes, clipboard data, screenshots, and other sensitive information.
- FormBook: Infostealer malware harvesting credentials from web browsers, capturing screenshots, logging keystrokes, and executing files as per commands received.
- Remcos: Malware enabling remote management of compromised machines, executing commands, logging keystrokes, and enabling surveillance through webcam and microphone.
- LokiBot: Info-stealer targeting usernames, passwords, and other application-related data.
- Guloader: Downloader for secondary payloads, often packed to evade antivirus detection.
- Snake Keylogger: Data-stealing malware logging keystrokes, capturing clipboard data, taking screenshots, and harvesting browser credentials.
- XWorm: Remote Access Trojan (RAT) providing remote control over infected computers.
Final payloads and malicious scripts are frequently stored in reputable cloud services like Google Drive to exploit their good reputation and avoid detection by antivirus tools.
Compromised legitimate FTP servers are used as command and control (C2) infrastructure to normalize traffic and transmit stolen information.
Positive Technologies uncovered over 320 attacks, predominantly concentrated in Latin American nations but with global targeting.
The utilization of a seven-year-old bug in TA558’s attack chain suggests that defending against SteganoAmor is relatively straightforward, as updating Microsoft Office to a recent version would nullify these attacks.