Threat actors tracked as TA558 It has been observed that steganography is used as an obfuscation technique to spread various malware, such as Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm.
“The group made extensive use of steganography by sending VBS, PowerShell code, as well as RTF files, internal images and text files with embedded vulnerabilities,” Russian cybersecurity firm Positive Technologies said in a report on Monday. “
The campaign was codenamed SteganoAmor due to its reliance on steganography and the choice of filenames such as Greatloverstory.vbs and easytolove.vbs.
Most attacks targeted the industrial, service, public, power and construction sectors in Latin American countries, but companies in Russia, Romania and Turkey were also targeted.
At the same time, TA558 was also found deploying Venom RAT through phishing attacks targeting companies in Spain, Mexico, the United States, Colombia, Portugal, Brazil, the Dominican Republic, and Argentina.
It all started with a phishing email containing a booby-trapped Microsoft Excel attachment that exploited a now-patched security flaw (CVE-2017-11882) in the Equation Editor to download a Visual Basic script that would fetch the next Stage affixed payload[.]Yes.
The obfuscated malicious code is responsible for downloading two images from external URLs that embed Base64-encoded components, ultimately retrieving and executing the Agent Tesla malware on the infected host.
In addition to Agent Tesla, other variants of the attack chain have led to the emergence of various malware, such as FormBook, GuLoader, LokiBot, Remcos RAT, Snake Keylogger and XWorm, which are designed for remote access, data theft and Designed to assist in the delivery of payloads.
Phishing emails are sent from legitimate but compromised SMTP servers in order to give the message a level of credibility and minimize the likelihood of it being blocked by email gateways. In addition, TA558 was also found to be using infected FTP servers to store stolen data.
The disclosure comes against the backdrop of a series of phishing attacks against government organizations in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan and Armenia, with attackers using malware called LazyStealer to harvest credentials from Google Chrome.
Positive Technologies is tracking a cluster of activity called Lazy Koala, named after the user (joekoala), who is said to control the Telegram bot that received the stolen material.
That said, victim geolocation and malware artifacts indicate a potential connection to another hacker group tracked by Cisco Talos called YoroTrooper (also known as SturgeonPhisher).
Security researcher Vladislav Lunin said: “The main tool of the group is a primitive stealer whose protection helps evade detection, slow down analysis, obtain all stolen data and send it to Telegram, which has been under attack for years Malicious actors welcome.
The findings are accompanied by a series of social engineering campaigns aimed at spreading malware families such as FatalRAT and SolarMarker.
