A recent cybersecurity threat has emerged in the form of a steganographic campaign that uses seemingly harmless JPG files to distribute multiple types of malware, including password stealers like Remcos and AsyncRAT.
This sophisticated attack begins with a phishing email containing a malicious Excel document that exploits a known vulnerability, CVE-2017-0199, to initiate the infection chain.
Infection Chain and Malware Deployment
The Excel document, upon opening, issues an HTTP request to download a .hta file containing VBScript code.
.png
)
This script writes a batch file that connects to a paste URL to download another obfuscated VBScript.
The VBScript then downloads a JPG file, which appears harmless but contains a base64 encoded malicious loader.
According to the Seqrite Blog Report, this loader is decoded and executed, leading to the deployment of the final payload.
The JPG file’s use of steganography allows it to conceal the malware effectively, making detection challenging.
In the case of Remcos and AsyncRAT, both are remote access Trojans (RATs) with capabilities that include command and control communication, keystroke logging, and additional payload execution.
Remcos, in particular, has been a persistent threat since its inception in 2016, known for its robust command and control features.
AsyncRAT, written in C#, offers similar functionalities with the added capability of evading detection through techniques like delayed execution.
Technical Details and Evasion Techniques
The malware uses process hollowing to inject malicious code into legitimate processes, ensuring persistence and evasion from security software.
The DLLs involved are obfuscated, with some common .NET function names obscured, making reverse engineering more difficult.
The attack also employs masquerading techniques, where malicious scripts are disguised as genuine system files or scripts, such as “prnmngr.vbs,” which is used to manage printers, thereby avoiding suspicion.
The command and control servers for these malware variants have the capability to deploy additional payloads, further compromising the victim’s system.
The use of steganography in JPG files highlights the evolving nature of cyber threats and the need for robust cybersecurity measures to protect against such sophisticated attacks.
Users are advised to remain vigilant and adopt best practices to safeguard their systems and data integrity.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
