Danger actors were seen concealing malicious code in photographs to ship malware similar to VIP Keylogger and 0bj3ctivity Stealer as a part of separate campaigns.
“In each campaigns, attackers concealed malicious code in photographs they uploaded to archive[.]org, a file-hosting web page, and used the similar .NET loader to put in their ultimate payloads,” HP Wolf Safety stated in its Danger Insights Record for Q3 2024 shared with The Hacker Information.
The place to begin is a phishing e-mail that masquerades as invoices and buy orders to trick recipients into opening malicious attachments, similar to Microsoft Excel paperwork, that, when opened, exploits a recognized safety flaw in Equation Editor (CVE-2017-11882) to obtain a VBScript dossier.
The script, for its section, is designed to decode and run a PowerShell script that retrieves a picture hosted on archive[.]org and extracts a Base64-encoded code, which is due to this fact decoded right into a .NET executable and completed.
The .NET executable serves as a loader to obtain VIP Keylogger from a given URL and runs it, permitting the risk actors to scouse borrow a variety of knowledge from the inflamed methods, together with keystrokes, clipboard content material, screenshots, and credentials. VIP Keylogger stocks practical overlaps with Snake Keylogger and 404 Keylogger.
A equivalent marketing campaign has been discovered to ship malicious archive information to objectives through e-mail. Those messages, which pose as requests for quotations, purpose to entice guests into opening a JavaScript dossier inside the archive that then launches a PowerShell script.
Like within the earlier case, the PowerShell script downloads a picture from a far flung server, parses the Base64-encoded code inside of it, and runs the similar .NET-based loader. What is other is that the assault chain culminates with the deployment of a data stealer named 0bj3ctivity.
The parallels between the 2 campaigns counsel that risk actors are leveraging malware kits to give a boost to the entire potency, whilst additionally reducing the time and technical experience had to craft the assaults.
HP Wolf Safety additionally stated it seen unhealthy actors resorting to HTML smuggling tactics to drop the XWorm far flung get admission to trojan (RAT) by the use of an AutoIt dropper, echoing prior campaigns that disbursed AsyncRAT similarly.
“Particularly, the HTML information bore hallmarks suggesting that that they had been written with the assistance of GenAI,” HP stated. “The job issues to the rising use of GenAI within the preliminary get admission to and malware supply phases of the assault chain.”
“Certainly, risk actors stand to realize a lot of advantages from GenAI, from scaling assaults and developing diversifications that might building up their an infection charges, to creating attribution through community defenders harder.”
That isn’t all. Danger actors were noticed developing GitHub repositories promoting online game cheat and amendment equipment with the intention to deploy the Lumma Stealer malware the usage of a .NET dropper.
“The campaigns analyzed supply additional proof of the commodification of cybercrime,” Alex Holland, major risk researcher within the HP Safety Lab, stated. “As malware-by-numbers kits are extra freely to be had, reasonably priced, and simple to make use of, even learners with restricted talents and data can put in combination an efficient an infection chain.”