The menace actor tracked as TA558 has been noticed leveraging steganography as an obfuscation approach to ship a variety of malware similar to Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm, amongst others.
“The group made extensive use of steganography by sending VBSs, PowerShell code, as well as RTF documents with an embedded exploit, inside images and text files,” Russian cybersecurity firm Constructive Applied sciences mentioned in a Monday report.
The marketing campaign has been codenamed SteganoAmor for its reliance on steganography and the selection of file names similar to greatloverstory.vbs and easytolove.vbs.
A majority of the assaults have focused industrial, companies, public, electrical energy, and building sectors in Latin American nations, though firms positioned in Russia, Romania, and Turkey have additionally been singled out.
The event comes as TA558 has additionally been noticed deploying Venom RAT through phishing assaults aimed toward enterprises positioned in Spain, Mexico, the USA, Colombia, Portugal, Brazil, Dominican Republic, and Argentina.
All of it begins with a phishing electronic mail containing a booby-trapped electronic mail Microsoft Excel attachment that exploits a now-patched safety flaw in Equation Editor (CVE-2017-11882) to obtain a Visible Fundamental Script that, in flip, fetches the next-stage payload from paste[.]ee.
The obfuscated malicious code takes care of downloading two pictures from an exterior URL that come embedded with a Base64-encoded part that finally retrieves and executes the Agent Tesla malware on the compromised host.
Past Agent Tesla, different variants of the assault chain have led to an assortment of malware similar to FormBook, GuLoader, LokiBot, Remcos RAT, Snake Keylogger, and XWorm, that are designed for distant entry, information theft, and supply of secondary payloads.
The phishing emails are despatched from legitimate-but-compromised SMTP servers to lend the messages just a little credibility and reduce the probabilities of them getting blocked by electronic mail gateways. As well as, TA558 has been discovered to make use of contaminated FTP servers to stage the stolen information.
The disclosure comes in opposition to the backdrop of a collection of phishing assaults focusing on authorities organizations in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia with a malware dubbed LazyStealer to reap credentials from Google Chrome.
Constructive Applied sciences is monitoring the exercise cluster beneath the title Lazy Koala in reference to the title of the person (joekoala), who is alleged to regulate the Telegram bots that obtain the stolen information.
That mentioned, the sufferer geography and the malware artifacts point out potential hyperlinks to a different hacking group tracked by Cisco Talos beneath the title YoroTrooper (aka SturgeonPhisher).
“The group’s main tool is a primitive stealer, whose protection helps to evade detection, slow down analysis, grab all the stolen data, and send it to Telegram, which has been gaining popularity with malicious actors by the year,” safety researcher Vladislav Lunin mentioned.
The findings additionally observe a wave of social engineering campaigns which can be designed to propagate malware households like FatalRAT and SolarMarker.
