Cyber Security News

New Steganographic Malware Hides in JPG Files to Deploy Multiple Password Stealers

A recent cybersecurity threat has emerged in the form of a steganographic campaign that uses seemingly harmless JPG files to distribute multiple types of malware, including password stealers like Remcos and AsyncRAT.

This sophisticated attack begins with a phishing email containing a malicious Excel document that exploits a known vulnerability, CVE-2017-0199, to initiate the infection chain.

Infection Chain and Malware Deployment

The Excel document, upon opening, issues an HTTP request to download a .hta file containing VBScript code.

This script writes a batch file that connects to a paste URL to download another obfuscated VBScript.

The VBScript then downloads a JPG file, which appears harmless but contains a base64 encoded malicious loader.

According to the Seqrite Blog Report, this loader is decoded and executed, leading to the deployment of the final payload.

The JPG file’s use of steganography allows it to conceal the malware effectively, making detection challenging.

Infection chain

In the case of Remcos and AsyncRAT, both are remote access Trojans (RATs) with capabilities that include command and control communication, keystroke logging, and additional payload execution.

Remcos, in particular, has been a persistent threat since its inception in 2016, known for its robust command and control features.

AsyncRAT, written in C#, offers similar functionalities with the added capability of evading detection through techniques like delayed execution.

Technical Details and Evasion Techniques

The malware uses process hollowing to inject malicious code into legitimate processes, ensuring persistence and evasion from security software.

The DLLs involved are obfuscated, with some common .NET function names obscured, making reverse engineering more difficult.

DLL code

The attack also employs masquerading techniques, where malicious scripts are disguised as genuine system files or scripts, such as “prnmngr.vbs,” which is used to manage printers, thereby avoiding suspicion.

The command and control servers for these malware variants have the capability to deploy additional payloads, further compromising the victim’s system.

The use of steganography in JPG files highlights the evolving nature of cyber threats and the need for robust cybersecurity measures to protect against such sophisticated attacks.

Users are advised to remain vigilant and adopt best practices to safeguard their systems and data integrity.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Hackers Rapidly Adopt ClickFix Technique for Sophisticated Attacks

In recent months, a sophisticated social engineering technique known as ClickFix has gained significant traction…

9 minutes ago

Supply Chain Attack Targets 23,000 GitHub Repositories

A critical security incident has been uncovered involving the popular GitHub Action tj-actions/changed-files, which is…

10 minutes ago

Beware! Malware Hidden in Free Word-to-PDF Converters

The FBI has issued a warning about a growing threat involving free file conversion tools,…

13 minutes ago

MassJacker Clipper Malware Targets Users Installing Pirated Software

A recent investigation has uncovered previously unknown cryptojacking malware, dubbed MassJacker, which primarily targets users…

14 minutes ago

SocGholish Exploits Compromised Websites to Deliver RansomHub Ransomware

SocGholish, a sophisticated malware-as-a-service (MaaS) framework, has been identified as a key enabler in the…

16 minutes ago

New C++-Based IIS Malware Mimics cmd.exe to Evade Detection

A recent discovery by Palo Alto Networks' Unit 42 has shed light on sophisticated malware…

18 minutes ago