Unleashing the Power of Steganography: The Latest SteganoAmor Assault on 320 Organizations Worldwide

A new campaign, conducted by a cyber criminal organization known as TA558, is using advanced techniques to hide malicious code in images in order to distribute various forms of malware onto targeted computer systems.

The strategy behind this type of attack, known as steganography, is to conceal the harmful code within seemingly harmless files in order to evade detection by both users and security products.

TA558 has been active since 2018 and is notorious for targeting the hospitality and tourism industries, with a focus on Latin America. Their latest campaign, called “SteganoAmor,” has recently been discovered by Positive Technologies. The researchers have identified over 320 attacks in this campaign, spanning across various sectors and countries.

The SteganoAmor Attacks

The attack begins with a malicious email that contains seemingly innocent document attachments, such as Excel and Word files, using the well-known CVE-2017-11882 exploit. This exploit targets a vulnerability in Microsoft Office’s Equation Editor that was fixed in 2017.

The emails are sent from compromised SMTP servers, making it difficult for the messages to be blocked, since they appear to be coming from legitimate domains.

If a machine has an outdated version of Microsoft Office installed, the exploit will download a Visual Basic Script (VBS) from a legitimate “paste” service upon opening the file. This script then retrieves an image file (JPG) that contains a base-64 encoded payload.

Inside the script, there is PowerShell code that downloads the final payload from another text file, disguised as a reversed base64-encoded executable.

Positive Technologies has observed various versions of this attack, using different malware families such as:

• AgentTesla – A spyware that acts as a keylogger and credential stealer, capturing keystrokes, data from the system clipboard, screenshots, and other sensitive information.
• FormBook – A type of malware that steals information, such as credentials, from various web browsers. It also captures screenshots, records keystrokes, and can download and execute files based on the attacker’s commands.
• Remcos – A type of malware that allows the attacker to remotely control the compromised machine, executing commands and collecting information from the webcam and microphone for surveillance purposes.
• LokiBot – An information-stealing malware that targets data, such as usernames and passwords, from commonly used applications.
• Guloader – A downloader used to distribute secondary payloads, which are often disguised to avoid detection by antivirus programs.
• Snake Keylogger – A type of malware that steals data by logging keystrokes, capturing information from the system clipboard, taking screenshots, and harvesting credentials from web browsers.
• XWorm – A Remote Access Trojan (RAT) used for remote control of the infected computer.

The final payloads and malicious scripts are often stored on legitimate cloud services, such as Google Drive, to take advantage of their reputable status and avoid being flagged by antivirus tools.

The stolen information is then sent to compromised FTP servers, which are used as command and control (C2) infrastructure to make the network traffic appear normal.

Positive Technologies has discovered over 320 attacks, with the majority targeting Latin American countries. However, the scope of the targeting extends worldwide.

Defending against SteganoAmor attacks is relatively simple by updating Microsoft Office to a more recent version that would render these specific attacks ineffective. For a complete list of Indicators of Compromise (IoCs), please refer to the original report provided by Positive Technologies.