steganography
Beware! Hackers are now hiding malware in images using steganography. Learn how ...
TA558, a threat actor known for its sophisticated tactics, has recently been observed actively leveraging steganography to conceal malware payloads within images and text files.
This technique, termed SteganoAmor, has facilitated the delivery of various malware strains including Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm. These attacks primarily target sectors such as industrial, services, public, electric power, and construction in Latin American countries, with some incidents reported in Russia, Romania, and Turkey.
#### Steganography: A Stealthy Approach
Steganography serves as a covert means to embed malicious payloads within seemingly innocuous files, such as images and text documents. [TA558](https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel) as originally described leverages steganography extensively, embedding VBSs, PowerShell code, and RTF documents with exploits into these files.
By concealing malware within seemingly benign content, attackers evade detection by traditional security measures, facilitating wide-scale infiltration.
#### Attack Vector and Malware Delivery
Phishing remains a prominent vector for malware delivery, with TA558 employing tactics to exploit [CVE-2017-11882](https://nvd.nist.gov/vuln/detail/cve-2017-11882) in Microsoft Excel to download initial payloads. These payloads, often Visual Basic Scripts, fetch subsequent malware components from external sources.
Notably, the use of legitimate but compromised SMTP servers lends credibility to phishing emails, enhancing their effectiveness in bypassing email gateways.
#### Malware Functionality
The malware payloads delivered by TA558 cater to a spectrum of malicious activities, including remote access, data theft, and secondary payload delivery. [Agent Tesla](https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel), FormBook, [GuLoader](https://www.secureblink.com/cyber-security-news/guloader-s-latest-obfuscation-tactics-escalate-malware-analysis-complexity), LokiBot, Remcos RAT, Snake Keylogger, and XWorm are among the arsenal employed. These tools enable attackers to compromise systems, exfiltrate sensitive data, and establish footholds for further exploitation.
#### LazyStealer: A Case Study in Credential Theft
In addition to steganography-based attacks, TA558 has deployed LazyStealer, a primitive yet effective credential stealer. LazyStealer exhibits unsophisticated techniques, relying on PyInstaller, Pyarmor, and Cython to obfuscate its code and evade detection. By targeting Google Chrome credentials and forwarding stolen data to Telegram, LazyStealer underscores the threat posed by even rudimentary malware tools.
#### Attribution and Victimology
Positive Technologies' [analysis](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/) links Lazy Koala, the actor behind LazyStealer, to TA558. Lazy Koala targets governmental, financial, medical, and educational institutions across Russia, Belarus, Kazakhstan, Tajikistan, Kyrgyzstan, Armenia, and Uzbekistan. The group's tactics, techniques, and procedures (TTPs) bear resemblance to those of YoroTrooper, as evidenced by similar toolsets and victim profiles.
#### Key Takeaways and Recommendations
The TA558 campaign underscores the efficacy of leveraging unsophisticated tools and tactics in cyberattacks. While sophisticated malware garners attention, attackers often achieve success through simplicity and stealth.
Organizations must prioritize security measures to detect and mitigate threats like steganography-based attacks and credential stealers.
Proactive defense strategies, including robust email filtering, endpoint protection, and user education, are essential in combating evolving cyber threats.