New Steganography Campaign Exploits MS Office Vulnerability to Distribute AsyncRAT

A recently uncovered cyberattack campaign has brought steganography back into the spotlight, showcasing the creative and insidious methods attackers employ to deliver malware.

This operation, dubbed the “Stego-Campaign,” exploits a known Microsoft Office vulnerability, CVE-2017-0199, to initiate infections and ultimately deploy the notorious AsyncRAT malware.

Innovative Attack Leverages Hidden Payloads in Images

The vulnerability, first reported in April 2017, enables remote code execution (RCE) without user interaction beyond opening a malicious document, making it a potent entry point for phishing-based attacks.

The attack begins with a phishing email containing a malicious Microsoft Office document that exploits CVE-2017-0199.

Once opened, the document triggers the download of a malicious HTA script, which in turn fetches a trojanized version of Prnport.vbs, a legitimate Windows script for managing printer ports.

This tampered script constructs and executes a PowerShell command to download an injector DLL hidden within an innocuous-looking image file using steganography.

Sophisticated Payload Delivery via Trojanized Scripts and Process Hollowing

The Base64-encoded injector is embedded between specific markers in the image’s source code and can be extracted and decoded using tools like CyberChef.

Analysis reveals the injector’s original namespace as Microsoft.Win32.TaskScheduler, a 32-bit DLL confirmed via tools like Detect It Easy and CFF Explorer.

The PowerShell script dynamically loads this injector via reflection, invoking a method named “VAI” to retrieve the final payload URL, which points to a reversed, Base64-encoded AsyncRAT binary.

The payload is decoded, and through a technique known as process hollowing (T1055.012), it is injected into a legitimate MSBuild.exe process, allowing the malware to run covertly under a trusted process name.

AsyncRAT, an open-source remote access tool released in 2019, provides attackers with capabilities like remote desktop access, keylogging, and the ability to deploy additional malware such as ransomware.

This campaign’s use of steganography to conceal malicious code within images exemplifies the lengths to which threat actors go to evade detection.

After invoking the VAI method, the PowerShell script reverses and decodes the payload URL, fetches the AsyncRAT binary, and employs process hollowing to execute it stealthily.

The final payload, flagged by VirusTotal, includes a configuration file revealing the command-and-control (C2) IP address, underscoring the sophisticated infrastructure behind the attack.

Steganography, while not commonly seen in the wild, remains a fascinating and dangerous technique that challenges traditional defense mechanisms, as the hidden payloads are difficult to detect without specialized analysis.

Defenders must familiarize themselves with such attack flows to mitigate similar threats effectively, focusing on phishing prevention, endpoint monitoring for suspicious process behavior, and anomaly detection in network traffic.

Indicators of Compromise (IOC)

Type	Value
Trojanized Prnport.vbs (SHA256)	1105ae14ccb41fedcf556e4c575e34e505e9a571f2021ba89a75fbe5fa12e3c0
AsyncRAT Delivery URL	hxxps[://]watchonlinehotvideos[.]site/001[.]txt
AsyncRAT (SHA256)	448ae5b8890c17a2efe49856531efd62796db52d2ff0ecbb4678334aea2bf776
AsyncRAT C2 Address	148[.]113[.]214[.]176
Injector Delivery URL	hxxps[://]1019[.]filemail[.]com/api/file/get?filekey=ZrKTNo-_DMWgm0oonSr97JAkdrUqbICVeG2LmuclzuON2ZavKqsQg0NqChSLT4A&pk_vid=342803d1cc4e3b801741606974b78eb
Injector (Namespace)	Microsoft.Win32.TaskScheduler
Injector Binary (SHA256)	8CC93827CA7652AFC8E08B9266F6567D06B932AF26B601EB7FDE10F5E5A6CB30
Injected Process Path	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!