Hackers using steganography to Drop the Powload Malware & Hide Their Malvertising Traffic

Cyber criminals now approaching a unique way to spread Powload malware with the help of steganography to infect the targeted system.

Powload campaign activity distributing since 2018 through fileless techniques and hijacking email accounts to deliver the information-stealing malware such as emotet and Ursnif.

But the recent attacks employed the steganography techniques in which attackers turn from the fileless method(straight forward infection chain) that has been changed by adding additional stages to deliver the malware that helps to evade the detection.

Steganography, a method used by attackers to hide the malicious code within the image that is mainly employed by exploit kits to hide the malvertising traffic.

This unique technique used by attackers to drop and execute well-known malware such as Ursnif and Bebloh using steganography within the infection chain process.

Steganography Approach by Powload Malware

In this case, Powload malware abuse a publicly available script called (Invoke-PSImage) that helps to Embed malicious scripts in the pixels of a PNG file.

Later attackers approaching the victims via spam email campaigns that contain a document with embedded malicious macro code.

In this case, attackers using various social engineering technique lures to trick the user to download the attachment and click on it.

Infection Chain

Once victims click the document, PowerShell script will be executed and download an image hosted online that contains the malicious code.


An image containing the malicious code

According to the Trend Micro research, “The methods for region detection vary from the samples we analyzed. Some use the PowerShell command “Get-Culture” to obtain the computer’s regional settings. Others get the value of the xlCountrySetting property (which returns information about the current regional settings) in Excel to determine the affected machine’s location.”

In this case, the malicious code only executed if the infected machine location xlCountrySetting is equal to 81 (Japan) or 82 (Korea). This can be achieved using a free tool (hxxp://ipinfo.io/country) help to return an IP address’ country.

The main motivation of this campaign to steal the victim’s sensitive information, but the researchers believe that Powload also delivers the payload to perform other malicious operations.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Hackers Launching Ursnif Malware via Weaponized office Document Using Steganography Technique

Hackers Now Launching Powerful Weaponized PDF Exploit using Steganography Technique

Risk with Steganography and Importance of running Steganalysis with Network Systems

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

1 day ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

3 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

4 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

4 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago