Wednesday, October 9, 2024
HomeComputer SecurityHackers using steganography to Drop the Powload Malware & Hide Their...

Hackers using steganography to Drop the Powload Malware & Hide Their Malvertising Traffic

Published on

Cyber criminals now approaching a unique way to spread Powload malware with the help of steganography to infect the targeted system.

Powload campaign activity distributing since 2018 through fileless techniques and hijacking email accounts to deliver the information-stealing malware such as emotet and Ursnif.

But the recent attacks employed the steganography techniques in which attackers turn from the fileless method(straight forward infection chain) that has been changed by adding additional stages to deliver the malware that helps to evade the detection.

- Advertisement - EHA

Steganography, a method used by attackers to hide the malicious code within the image that is mainly employed by exploit kits to hide the malvertising traffic.

This unique technique used by attackers to drop and execute well-known malware such as Ursnif and Bebloh using steganography within the infection chain process.

Steganography Approach by Powload Malware

In this case, Powload malware abuse a publicly available script called (Invoke-PSImage) that helps to Embed malicious scripts in the pixels of a PNG file.

Later attackers approaching the victims via spam email campaigns that contain a document with embedded malicious macro code.

In this case, attackers using various social engineering technique lures to trick the user to download the attachment and click on it.

Infection Chain

Once victims click the document, PowerShell script will be executed and download an image hosted online that contains the malicious code.


An image containing the malicious code

According to the Trend Micro research, “The methods for region detection vary from the samples we analyzed. Some use the PowerShell command “Get-Culture” to obtain the computer’s regional settings. Others get the value of the xlCountrySetting property (which returns information about the current regional settings) in Excel to determine the affected machine’s location.”

In this case, the malicious code only executed if the infected machine location xlCountrySetting is equal to 81 (Japan) or 82 (Korea). This can be achieved using a free tool (hxxp://ipinfo.io/country) help to return an IP address’ country.

The main motivation of this campaign to steal the victim’s sensitive information, but the researchers believe that Powload also delivers the payload to perform other malicious operations.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Hackers Launching Ursnif Malware via Weaponized office Document Using Steganography Technique

Hackers Now Launching Powerful Weaponized PDF Exploit using Steganography Technique

Risk with Steganography and Importance of running Steganalysis with Network Systems

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Badge and CyberArk Announce Partnership to Redefine Privacy in PAM and Secrets Management

Partnership aims to help businesses eliminate vulnerable attack surfaces and provide a more streamlined...

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

Critical Automative 0-Day Flaws Let Attackers Gain Full Control Over Cars

Recent discoveries in the automotive cybersecurity landscape have unveiled a series of critical zero-day...

Likho Hackers Using MeshCentral For Remotely Managing Victim Systems

The Awaken Likho APT group launched a new campaign in June of 2024 with...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

Likho Hackers Using MeshCentral For Remotely Managing Victim Systems

The Awaken Likho APT group launched a new campaign in June of 2024 with...

Hackers Gained Unauthorized Network Access to Casio Networks

Casio Computer Co., Ltd. has confirmed that a third party illegally accessed its network...