A sophisticated attack campaign has been observed leveraging steganography to conceal malicious payloads within benign-looking image files, exploiting a known Microsoft Office vulnerability (CVE-2017-0199) to deliver the AsyncRAT remote access trojan.
This technique highlights the innovative means attackers employ to evade detection and achieve covert code execution.
Attack Flow and Exploitation Mechanics
The infection chain begins with a phishing email delivering a malicious MS Office document crafted to exploit CVE-2017-0199, a remote code execution vulnerability.
Upon opening the document, the vulnerability is triggered, leading to the execution of a remote script typically an HTA file without further user interaction.
According to the Report, this script downloads a trojanized copy of the legitimate Prnport.vbs script, which is a Windows utility for managing printer ports.
Malicious code is inserted at the start of the Prnport.vbs, causing it to assemble and execute a multi-stage PowerShell command chain.
The script fragments obfuscate the command structure, hindering analysis and static detection.
Through this PowerShell execution, an image file containing an embedded, base64-encoded injector DLL is downloaded from an attacker-controlled server.
The downloaded image file appears innocuous, but contains base64-encoded data marked by custom delimiters (e.g., <<BASE64_START>>).
Manual inspection reveals that this section decodes to a Windows DLL, originally named Microsoft.Win32.TaskScheduler.
Attackers use PowerShell to extract, decode, and load this DLL in-memory via reflection, avoiding the need for disk writes and making detection more challenging.
The DLL acts as an injector, dynamically invoking a method named VAI to retrieve the final AsyncRAT payload.
Notably, the payload URL is obfuscated and reversed in transit; after download, the data must be reversed again and decoded from base64 within memory.
Process Hollowing and AsyncRAT Deployment
The final step involves process hollowing (MITRE ATT&CK T1055.012), whereby the injector spawns a legitimate MSBuild.exe process in a suspended state, hollows its memory, and injects the decoded AsyncRAT payload.
The process is then resumed, running the RAT under the guise of a trusted Windows executable. This fileless execution pathway further complicates detection and forensic analysis.
AsyncRAT, a publicly available remote access trojan, grants attackers full remote control, including keystroke logging and command execution.
It also possesses loader capabilities for further malware deployment, increasing the risk of multi-stage intrusions or ransomware attacks.
Defenders are urged to monitor for exploitation of legacy Office vulnerabilities, anomalous process creation involving scripting engines (HTA, VBS, PowerShell), unauthorized downloads from suspicious domains, and the spawning of MSBuild.exe outside typical development workflows.
Indicators of Compromise (IOC)
| Type | Value |
|---|---|
| Trojanized Prnport.vbs (SHA256) | 1105ae14ccb41fedcf556e4c575e34e505e9a571f2021ba89a75fbe5fa12e3c0 |
| AsyncRAT Delivery URL | hxxps[://]watchonlinehotvideos[.]site/001[.]txt |
| AsyncRAT (Reversed & Base64) (SHA256) | 1B566924D6A602DCAC610B3BC1B40BCC1164EE10EF2E0DB6BB1D7162C4FBF9BA |
| AsyncRAT Binary (SHA256) | 448ae5b8890c17a2efe49856531efd62796db52d2ff0ecbb4678334aea2bf776 |
| AsyncRAT C2 Address | 148[.]113[.]214[.]176 |
| Injector Delivery URL | hxxps[://]1019[.]filemail[.]com/api/file/get?filekey=ZrKTNo-_DMWgm0oonSr97JAkdrUqbICVeG2LmuclzuON2ZavKqsQg0NqChSLT4A&pk_vid=342803d1cc4e3b801741606974b78eb1 |
| Injector (Namespace/File Name) | Microsoft.Win32.TaskScheduler |
| Injector Hidden in Image (SHA256) | 0FF5DD1787ACC886A586282858112C6F73B48C31093080D2D8A6E66F018CE8C7 |
| Injector Binary (SHA256) | 8CC93827CA7652AFC8E08B9266F6567D06B932AF26B601EB7FDE10F5E5A6CB30 |
| Injected Process Path | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
