Search This Blog

Powered by Blogger.

Blog Archive

Labels

New SteganoAmor Attacks Employ Steganography to Target Organizations Globally

Updating Microsoft Office to a recent version nullifies SteganoAmor attacks, as TA558 exploits a seven-year-old bug in their attack chain.

 


An exposé has brought to light an intricate operation engineered by the TA558 hacking group, known for its previous focus on the hospitality and tourism sectors. This new offensive, dubbed "SteganoAmor," employs steganography, a technique of concealing malicious code within seemingly harmless image files, to infiltrate targeted systems worldwide. Positive Technologies, the cybersecurity firm behind the discovery, has identified over 320 instances of this attack affecting various organisations across different sectors and countries.


How SteganoAmor Attacks Work

SteganoAmor attacks start with sneaky emails that look harmless but contain files like Excel or Word documents. These files take advantage of a weakness in Microsoft Office called CVE-2017-11882, which was fixed in 2017. When someone opens these files, they unknowingly download a Visual Basic Script (VBS) from a source that seems real. This script then fetches an image file (JPG) that hides a secret payload encoded in base64 format.


Diverse Malware Payloads

The hidden payload serves as a gateway to various malware families, each with distinct functionalities:

1. AgentTesla: A spyware capable of keylogging, credential theft, and capturing screenshots.

2. FormBook: An infostealer malware adept at harvesting credentials, monitoring keystrokes, and executing downloaded files.

3. Remcos: A remote access tool enabling attackers to manage compromised machines remotely, including activating webcams and microphones.

4. LokiBot: Another infostealer focusing on extracting sensitive information from commonly used applications.

5. Guloader: It serves as a downloader in cyberattacks, distributing secondary payloads to evade antivirus detection.

6. Snake Keylogger: Snake Keylogger is malware designed to steal data by logging keystrokes, capturing screenshots, and harvesting credentials from web browsers.

7. XWorm : It functions as a Remote Access Trojan (RAT), granting attackers remote control over compromised computers for executing commands and accessing sensitive information.


To evade detection, the final payloads and malicious scripts are often stored in reputable cloud services like Google Drive. Additionally, stolen data is transmitted to compromised FTP servers, masquerading as normal traffic.


Protective Measures

Despite the complexity of the attack, safeguarding against SteganoAmor is relatively straightforward. Updating Microsoft Office to the latest version eliminates the vulnerability exploited by the attackers, rendering their tactics ineffective.


Global Impact

While the primary targets seem concentrated in Latin America, the reach of SteganoAmor extends worldwide, posing a significant threat to organisations globally.


As these threats are taking new shape and form, staying aware and implementing timely updates remain crucial defences against cyber threats of any capacity. 


Share it:

Data Privacy

malware

Microsoft Office

Steganography

TA558