A recently uncovered cyberattack campaign has brought steganography back into the spotlight, showcasing the creative and insidious methods attackers employ to deliver malware.
This operation, dubbed the “Stego-Campaign,” exploits a known Microsoft Office vulnerability, CVE-2017-0199, to initiate infections and ultimately deploy the notorious AsyncRAT malware.
The vulnerability, first reported in April 2017, enables remote code execution (RCE) without user interaction beyond opening a malicious document, making it a potent entry point for phishing-based attacks.
The attack begins with a phishing email containing a malicious Microsoft Office document that exploits CVE-2017-0199.
Once opened, the document triggers the download of a malicious HTA script, which in turn fetches a trojanized version of Prnport.vbs, a legitimate Windows script for managing printer ports.
This tampered script constructs and executes a PowerShell command to download an injector DLL hidden within an innocuous-looking image file using steganography.
The Base64-encoded injector is embedded between specific markers in the image’s source code and can be extracted and decoded using tools like CyberChef.
Analysis reveals the injector’s original namespace as Microsoft.Win32.TaskScheduler, a 32-bit DLL confirmed via tools like Detect It Easy and CFF Explorer.
The PowerShell script dynamically loads this injector via reflection, invoking a method named “VAI” to retrieve the final payload URL, which points to a reversed, Base64-encoded AsyncRAT binary.
The payload is decoded, and through a technique known as process hollowing (T1055.012), it is injected into a legitimate MSBuild.exe process, allowing the malware to run covertly under a trusted process name.
AsyncRAT, an open-source remote access tool released in 2019, provides attackers with capabilities like remote desktop access, keylogging, and the ability to deploy additional malware such as ransomware.
This campaign’s use of steganography to conceal malicious code within images exemplifies the lengths to which threat actors go to evade detection.
After invoking the VAI method, the PowerShell script reverses and decodes the payload URL, fetches the AsyncRAT binary, and employs process hollowing to execute it stealthily.
The final payload, flagged by VirusTotal, includes a configuration file revealing the command-and-control (C2) IP address, underscoring the sophisticated infrastructure behind the attack.
Steganography, while not commonly seen in the wild, remains a fascinating and dangerous technique that challenges traditional defense mechanisms, as the hidden payloads are difficult to detect without specialized analysis.
Defenders must familiarize themselves with such attack flows to mitigate similar threats effectively, focusing on phishing prevention, endpoint monitoring for suspicious process behavior, and anomaly detection in network traffic.
Type | Value |
---|---|
Trojanized Prnport.vbs (SHA256) | 1105ae14ccb41fedcf556e4c575e34e505e9a571f2021ba89a75fbe5fa12e3c0 |
AsyncRAT Delivery URL | hxxps[://]watchonlinehotvideos[.]site/001[.]txt |
AsyncRAT (SHA256) | 448ae5b8890c17a2efe49856531efd62796db52d2ff0ecbb4678334aea2bf776 |
AsyncRAT C2 Address | 148[.]113[.]214[.]176 |
Injector Delivery URL | hxxps[://]1019[.]filemail[.]com/api/file/get?filekey=ZrKTNo-_DMWgm0oonSr97JAkdrUqbICVeG2LmuclzuON2ZavKqsQg0NqChSLT4A&pk_vid=342803d1cc4e3b801741606974b78eb |
Injector (Namespace) | Microsoft.Win32.TaskScheduler |
Injector Binary (SHA256) | 8CC93827CA7652AFC8E08B9266F6567D06B932AF26B601EB7FDE10F5E5A6CB30 |
Injected Process Path | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Fedora Project has announced the official availability of Fedora Linux on the Windows Subsystem for…
Microsoft has announced a significant wave of new Windows experiences designed for Copilot+ PCs, which…
Alexander Gurevich, a 47-year-old dual Russian-Israeli citizen, was arrested last Thursday at Ben-Gurion Airport while…
The 160-year-old haulage giant Knights of Old, once a stalwart of the UK’s logistics sector,…
SonicWall has unveiled a new line of advanced firewalls and a comprehensive managed cybersecurity service…
Senior members of the World Uyghur Congress (WUC) living in exile were targeted with a…