Cybercrime , Fraud Management & Cybercrime

Steganography Campaign Targets Global Enterprises

Financially Motivated Threat Group Embeds Malicious Code in Images
Steganography Campaign Targets Global Enterprises
The original of this image contains code that leads to an Agent Tesla infection. (Image: Positive Technologies)

Financially motivated hackers are using the oldie-but-goodie technique of hiding malicious code in digital images to target businesses in Latin America, said security researchers.

See Also: Live Webinar | Digital Doppelgängers: The Dual Faces of Deepfake Technology

Researchers from Positive Technologies identified more than 300 attacks globally and attributed them to threat actors tracked as TA558.

The threat actor, first spotted by Proofpoint in 2018, initially focused on the hospitality industry in Spanish and Portuguese countries but has lately branched out to hit victims in other industries in Russia, Romania and Turkey, according to Positive Technologies. Researchers from Cyble and MetabaseQ have also described some of the same TA558 campaigns spotted by Positive Technologies.

The cybercrime group's arsenal boasts a myriad of tools and malware, including AgentTesla, FormBook, Remcos, LokiBot, GuLoader, Snake Keylogger and XWorm.

The Positive Technologies researchers documented an infection chain for AgentTesla in which a victim downloads an Excel document that exploits a vulnerability in outdated versions of Microsoft Office. The flaw, tracked as CVE-2017-11882, allows an attacker to run arbitrary code that kicks off a sequence of calls for additional payloads that culminates in downloading an image from, a fee image hosting service.

The image, a jpeg, contains a PowerShell script that decrypts the payload from the image, downloads an additional payload and executes Agent Tesla on the victim computer. Hiding code or secret messages within another piece of data - such as an image, audio file or video - is known as steganography, or "stego."

In another scenario, a Microsoft Word document initiates a chain leading to the installation of Remcos RAT, and a similar attack chain deploys XWorm RAT through an Excel file and LokiBot through an RTF document, the researchers said.

One reason why Positive Technologies was able to examine the TA558 campaign in detail: The threat actor left servers containing files used in attacks on servers exposed to the open internet. "We also found malware logs containing stolen data on the servers with public directories."

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.