Friday, May 24, 2024

Hackers using steganography to Drop the Powload Malware & Hide Their Malvertising Traffic

Cyber criminals now approaching a unique way to spread Powload malware with the help of steganography to infect the targeted system.

Powload campaign activity distributing since 2018 through fileless techniques and hijacking email accounts to deliver the information-stealing malware such as emotet and Ursnif.

But the recent attacks employed the steganography techniques in which attackers turn from the fileless method(straight forward infection chain) that has been changed by adding additional stages to deliver the malware that helps to evade the detection.

Steganography, a method used by attackers to hide the malicious code within the image that is mainly employed by exploit kits to hide the malvertising traffic.

This unique technique used by attackers to drop and execute well-known malware such as Ursnif and Bebloh using steganography within the infection chain process.

Steganography Approach by Powload Malware

In this case, Powload malware abuse a publicly available script called (Invoke-PSImage) that helps to Embed malicious scripts in the pixels of a PNG file.

Later attackers approaching the victims via spam email campaigns that contain a document with embedded malicious macro code.

In this case, attackers using various social engineering technique lures to trick the user to download the attachment and click on it.

Infection Chain

Once victims click the document, PowerShell script will be executed and download an image hosted online that contains the malicious code.

An image containing the malicious code

According to the Trend Micro research, “The methods for region detection vary from the samples we analyzed. Some use the PowerShell command “Get-Culture” to obtain the computer’s regional settings. Others get the value of the xlCountrySetting property (which returns information about the current regional settings) in Excel to determine the affected machine’s location.”

In this case, the malicious code only executed if the infected machine location xlCountrySetting is equal to 81 (Japan) or 82 (Korea). This can be achieved using a free tool (hxxp:// help to return an IP address’ country.

The main motivation of this campaign to steal the victim’s sensitive information, but the researchers believe that Powload also delivers the payload to perform other malicious operations.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Hackers Launching Ursnif Malware via Weaponized office Document Using Steganography Technique

Hackers Now Launching Powerful Weaponized PDF Exploit using Steganography Technique

Risk with Steganography and Importance of running Steganalysis with Network Systems


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles