A recently uncovered cyberattack campaign has brought steganography back into the spotlight, showcasing the creative and insidious methods attackers employ to deliver malware.
This operation, dubbed the “Stego-Campaign,” exploits a known Microsoft Office vulnerability, CVE-2017-0199, to initiate infections and ultimately deploy the notorious AsyncRAT malware.
Innovative Attack Leverages Hidden Payloads in Images
The vulnerability, first reported in April 2017, enables remote code execution (RCE) without user interaction beyond opening a malicious document, making it a potent entry point for phishing-based attacks.
.png
)
The attack begins with a phishing email containing a malicious Microsoft Office document that exploits CVE-2017-0199.
Once opened, the document triggers the download of a malicious HTA script, which in turn fetches a trojanized version of Prnport.vbs, a legitimate Windows script for managing printer ports.
This tampered script constructs and executes a PowerShell command to download an injector DLL hidden within an innocuous-looking image file using steganography.
Sophisticated Payload Delivery via Trojanized Scripts and Process Hollowing
The Base64-encoded injector is embedded between specific markers in the image’s source code and can be extracted and decoded using tools like CyberChef.
Analysis reveals the injector’s original namespace as Microsoft.Win32.TaskScheduler, a 32-bit DLL confirmed via tools like Detect It Easy and CFF Explorer.
The PowerShell script dynamically loads this injector via reflection, invoking a method named “VAI” to retrieve the final payload URL, which points to a reversed, Base64-encoded AsyncRAT binary.
The payload is decoded, and through a technique known as process hollowing (T1055.012), it is injected into a legitimate MSBuild.exe process, allowing the malware to run covertly under a trusted process name.
AsyncRAT, an open-source remote access tool released in 2019, provides attackers with capabilities like remote desktop access, keylogging, and the ability to deploy additional malware such as ransomware.
This campaign’s use of steganography to conceal malicious code within images exemplifies the lengths to which threat actors go to evade detection.
After invoking the VAI method, the PowerShell script reverses and decodes the payload URL, fetches the AsyncRAT binary, and employs process hollowing to execute it stealthily.
The final payload, flagged by VirusTotal, includes a configuration file revealing the command-and-control (C2) IP address, underscoring the sophisticated infrastructure behind the attack.
Steganography, while not commonly seen in the wild, remains a fascinating and dangerous technique that challenges traditional defense mechanisms, as the hidden payloads are difficult to detect without specialized analysis.
Defenders must familiarize themselves with such attack flows to mitigate similar threats effectively, focusing on phishing prevention, endpoint monitoring for suspicious process behavior, and anomaly detection in network traffic.
Indicators of Compromise (IOC)
| Type | Value |
|---|---|
| Trojanized Prnport.vbs (SHA256) | 1105ae14ccb41fedcf556e4c575e34e505e9a571f2021ba89a75fbe5fa12e3c0 |
| AsyncRAT Delivery URL | hxxps[://]watchonlinehotvideos[.]site/001[.]txt |
| AsyncRAT (SHA256) | 448ae5b8890c17a2efe49856531efd62796db52d2ff0ecbb4678334aea2bf776 |
| AsyncRAT C2 Address | 148[.]113[.]214[.]176 |
| Injector Delivery URL | hxxps[://]1019[.]filemail[.]com/api/file/get?filekey=ZrKTNo-_DMWgm0oonSr97JAkdrUqbICVeG2LmuclzuON2ZavKqsQg0NqChSLT4A&pk_vid=342803d1cc4e3b801741606974b78eb |
| Injector (Namespace) | Microsoft.Win32.TaskScheduler |
| Injector Binary (SHA256) | 8CC93827CA7652AFC8E08B9266F6567D06B932AF26B601EB7FDE10F5E5A6CB30 |
| Injected Process Path | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
