New Steganoamor Attacks Use Steganography to Target 320 Orgs Globally

The TA558 hacking group has launched a sophisticated new campaign dubbed "SteganoAmor," leveraging steganography techniques to embed malicious code within innocuous images. This technique allows them to evade detection by both users and security products, making their attacks highly stealthy. TA558 has been an active threat actor since 2018, primarily targeting hospitality and tourism organizations worldwide, with a strong focus on Latin America.

Positive Technologies recently uncovered this campaign, identifying over 320 attacks across various sectors and countries. The attackers initiate their assault by sending malicious emails containing seemingly harmless document attachments, such as Excel and Word files. These attachments exploit the CVE-2017-11882 vulnerability in Microsoft Office, a flaw that was patched in 2017 but is still prevalent in older software versions. If a victim opens the compromised document with an outdated Microsoft Office version, a VBS script is downloaded from a seemingly legitimate service. This script then retrieves a JPG image containing a hidden payload encoded in base64 within a text file. The image, using steganography, conceals PowerShell code that downloads and executes the final malware on the victim's system.

Security Officer Comments:
The malicious payloads delivered through SteganoAmor encompass a wide range of malware families:
  • AgentTesla: This spyware acts as a keylogger and credential stealer, capturing keystrokes, clipboard data, taking screenshots, and exfiltrating sensitive information.
  • FormBook: An infostealer malware specializing in harvesting credentials from web browsers, capturing screenshots, logging keystrokes, and executing files as directed.
  • Remcos: A remote access tool that enables attackers to manage compromised machines remotely, executing commands, capturing keystrokes, and activating the webcam and microphone for surveillance purposes.
  • LokiBot: An info-stealer focused on extracting usernames, passwords, and other valuable data from various applications.
  • Guloader: A downloader used to distribute additional payloads, often packed to evade detection by antivirus solutions.
  • Snake Keylogger: Data-stealing malware specializing in logging keystrokes, capturing clipboard data, taking screenshots, and harvesting browser credentials.
  • XWorm: A Remote Access Trojan providing attackers with remote control over infected computers.
Suggested Correctionss:

While the majority of SteganoAmor attacks have been concentrated in Latin American countries, the campaign's targeting scope extends globally. Positive Technologies emphasizes that updating Microsoft Office to a more recent version can effectively thwart these attacks, as it addresses a critical vulnerability exploited in the attack chain.