Threat actors have been observed concealing malicious code in images to deliver malware such as VIP Keylogger and 0bj3ctivity Stealer as part of separate campaigns.
“In both campaigns, attackers hid malicious code in images they uploaded to archive[.]org, a file-hosting website, and used the same .NET loader to install their final payloads,” HP Wolf Security said in its Threat Insights Report for Q3 2024 shared with The Hacker News.
The starting point is a phishing email that masquerades as invoices and purchase orders to trick recipients into opening malicious attachments, such as Microsoft Excel documents, that, when opened, exploits a known security flaw in Equation Editor (CVE-2017-11882) to download a VBScript file.
The script, for its part, is designed to decode and run a PowerShell script that retrieves an image hosted on archive[.]org and extracts a Base64-encoded code, which is subsequently decoded into a .NET executable and executed.
The .NET executable serves as a loader to download VIP Keylogger from a given URL and runs it, allowing the threat actors to steal a wide range of data from the infected systems, including keystrokes, clipboard content, screenshots, and credentials. VIP Keylogger shares functional overlaps with Snake Keylogger and 404 Keylogger.
A similar campaign has been found to send malicious archive files to targets by email. These messages, which pose as requests for quotations, aim to lure visitors into opening a JavaScript file within the archive that then launches a PowerShell script.
Like in the previous case, the PowerShell script downloads an image from a remote server, parses the Base64-encoded code within it, and runs the same .NET-based loader. What’s different is that the attack chain culminates with the deployment of an information stealer named 0bj3ctivity.
The parallels between the two campaigns suggest that threat actors are leveraging malware kits to improve the overall efficiency, while also lowering the time and technical expertise needed to craft the attacks.
HP Wolf Security also said it observed bad actors resorting to HTML smuggling techniques to drop the XWorm remote access trojan (RAT) by means of an AutoIt dropper, echoing prior campaigns that distributed AsyncRAT in a similar fashion.
“Notably, the HTML files bore hallmarks suggesting that they had been written with the help of GenAI,” HP said. “The activity points to the growing use of GenAI in the initial access and malware delivery stages of the attack chain.”
“Indeed, threat actors stand to gain numerous benefits from GenAI, from scaling attacks and creating variations that could increase their infection rates, to making attribution by network defenders more difficult.”
That’s not all. Threat actors have been spotted creating GitHub repositories advertising video game cheat and modification tools in order to deploy the Lumma Stealer malware using a .NET dropper.
“The campaigns analyzed provide further evidence of the commodification of cybercrime,” Alex Holland, principal threat researcher in the HP Security Lab, said. “As malware-by-numbers kits are more freely available, affordable, and easy to use, even novices with limited skills and knowledge can put together an effective infection chain.”
