Menace actors have been noticed concealing malicious code in pictures to ship malware similar to VIP Keylogger and 0bj3ctivity Stealer as a part of separate campaigns.
“In each campaigns, attackers hid malicious code in pictures they uploaded to archive[.]org, a file-hosting web site, and used the identical .NET loader to put in their ultimate payloads,” HP Wolf Safety mentioned in its Menace Insights Report for Q3 2024 shared with The Hacker Information.
The start line is a phishing e mail that masquerades as invoices and buy orders to trick recipients into opening malicious attachments, similar to Microsoft Excel paperwork, that, when opened, exploits a recognized safety flaw in Equation Editor (CVE-2017-11882) to obtain a VBScript file.
The script, for its half, is designed to decode and run a PowerShell script that retrieves a picture hosted on archive[.]org and extracts a Base64-encoded code, which is subsequently decoded right into a .NET executable and executed.
The .NET executable serves as a loader to obtain VIP Keylogger from a given URL and runs it, permitting the risk actors to steal a variety of knowledge from the contaminated techniques, together with keystrokes, clipboard content material, screenshots, and credentials. VIP Keylogger shares purposeful overlaps with Snake Keylogger and 404 Keylogger.
An analogous marketing campaign has been discovered to ship malicious archive recordsdata to targets by e mail. These messages, which pose as requests for quotations, goal to lure guests into opening a JavaScript file throughout the archive that then launches a PowerShell script.
Like within the earlier case, the PowerShell script downloads a picture from a distant server, parses the Base64-encoded code inside it, and runs the identical .NET-based loader. What’s completely different is that the assault chain culminates with the deployment of an data stealer named 0bj3ctivity.
The parallels between the 2 campaigns recommend that risk actors are leveraging malware kits to enhance the general effectivity, whereas additionally decreasing the time and technical experience wanted to craft the assaults.
HP Wolf Safety additionally mentioned it noticed unhealthy actors resorting to HTML smuggling methods to drop the XWorm distant entry trojan (RAT) via an AutoIt dropper, echoing prior campaigns that distributed AsyncRAT similarly.
“Notably, the HTML recordsdata bore hallmarks suggesting that they’d been written with the assistance of GenAI,” HP mentioned. “The exercise factors to the rising use of GenAI within the preliminary entry and malware supply levels of the assault chain.”
“Certainly, risk actors stand to achieve quite a few advantages from GenAI, from scaling assaults and creating variations that would enhance their an infection charges, to creating attribution by community defenders tougher.”
That is not all. Menace actors have been noticed creating GitHub repositories promoting online game cheat and modification instruments so as to deploy the Lumma Stealer malware utilizing a .NET dropper.
“The campaigns analyzed present additional proof of the commodification of cybercrime,” Alex Holland, principal risk researcher within the HP Safety Lab, mentioned. “As malware-by-numbers kits are extra freely accessible, inexpensive, and straightforward to make use of, even novices with restricted expertise and data can put collectively an efficient an infection chain.”