A recent cybersecurity threat has emerged in the form of a steganographic campaign, where seemingly innocuous JPG files are used to distribute multiple types of malware, including password stealers like Remcos and AsyncRAT.
This sophisticated attack begins with a phishing email containing a malicious Excel document that exploits a known vulnerability, CVE-2017-0199, to initiate the infection chain.
Infection Chain and Malware Distribution
The Excel document, upon opening, issues an HTTP request to download a .hta file containing VBScript code.
This script writes a batch file that connects to a paste URL, downloading another obfuscated VBScript.
The latter script downloads a JPG file, which conceals a base64 encoded malicious loader.
Once decoded, this loader invokes a function that downloads a reversed base64 encoded file, ultimately leading to the final payload.
Both Remcos and AsyncRAT are distributed through similar initial chains, with AsyncRAT’s script masquerading as a printer management script to evade suspicion.
The JPG files used in this campaign are particularly deceptive, as they appear harmless but contain base64 encoded malware.
The malicious code is extracted between specific markers, decoded, and then executed.
The payloads, often VB.NET DLLs, are obfuscated to evade detection and masquerade as legitimate Microsoft files.
According to Seqrite Blog Report, these DLLs facilitate process hollowing, allowing the malware to inject itself into legitimate processes, thereby maintaining persistence and evading detection.
Malware Capabilities and Command and Control
Remcos, a well-known remote access tool, has been a staple in the malware world since its inception in 2016.
It connects to command and control (C2) servers for further instructions, enabling attackers to control compromised systems remotely.
AsyncRAT, another RAT, offers features like keystroke logging and additional payload execution.
Both malware types rely on encrypted configurations and communicate with C2 servers to receive commands and exfiltrate data.
The use of steganography in this campaign highlights the evolving sophistication of cyber threats.
By embedding malicious code within seemingly harmless files, attackers can bypass traditional security measures, emphasizing the need for robust cybersecurity practices to protect against such threats.
As these campaigns continue to evolve, vigilance and advanced detection techniques are crucial to safeguarding systems and data integrity.
