Ethical Hacking News
Hackers have taken a cunning approach by hiding malicious code in images to deploy malware such as VIP Keylogger and 0bj3ctivity Stealer. This trend has left cybersecurity experts scrambling to understand the motivations behind such attacks and develop strategies to combat them. With the growing use of GenAI, threat actors are able to create variations of attacks that can scale more easily and increase their infection rates. It is essential for defenders to stay ahead of the curve by staying abreast of the latest security research and updates from reputable sources.
Image-based malware attacks have seen an alarming rise in recent months. Threat actors use archive[.]org to host malicious images that deploy VIP Keylogger and 0bj3ctivity Stealer malware. A phishing email is used to trick victims into opening a malicious attachment, exploiting the Equation Editor security flaw. The malware downloads a VBScript file, which decodes and runs a PowerShell script retrieving an image from archive[.]org. GenAI is being used in initial access and malware delivery stages of attack chains to improve efficiency and scalability.
In recent months, the world of cyber security has witnessed an alarming rise in the deployment of malware via images. This emerging trend has left experts scrambling to understand the motivations behind such attacks and develop strategies to counter them effectively. In this article, we will delve into the intricacies of image-based malware attacks, exploring the techniques used by hackers to conceal malicious code within seemingly innocuous images.
The most recent example of this phenomenon was uncovered by HP Wolf Security, a leading cybersecurity firm, which discovered that threat actors had been using archive[.]org, a file-hosting website, to host malicious images. These images were then used to deploy malware such as VIP Keylogger and 0bj3ctivity Stealer, two types of malware known for their ability to steal sensitive information from infected systems.
The attack vector employed by hackers was surprisingly straightforward. A phishing email would be sent to the victim, masquerading as an invoice or purchase order. The recipient would then be tricked into opening a malicious attachment, such as a Microsoft Excel document. Upon opening this document, the Equation Editor security flaw (CVE-2017-11882) would be exploited, allowing the malware to download a VBScript file.
This script would, in turn, decode and run a PowerShell script that retrieved an image hosted on archive[.]org. The Base64-encoded code within the image would then be decoded into a .NET executable, which would serve as a loader to download VIP Keylogger from a given URL and run it. This allowed the threat actors to steal a wide range of data from the infected systems, including keystrokes, clipboard content, screenshots, and credentials.
A similar campaign has been found to send malicious archive files to targets by email. These messages would pose as requests for quotations and aim to lure visitors into opening a JavaScript file within the archive that then launched a PowerShell script. The script would download an image from a remote server, parse the Base64-encoded code within it, and run the same .NET-based loader.
The parallels between these two campaigns suggest that threat actors are leveraging malware kits to improve the overall efficiency of their attacks while also lowering the time and technical expertise needed to craft such attacks. This trend is particularly concerning as it highlights the growing use of GenAI (Generative Artificial Intelligence) in initial access and malware delivery stages of attack chains.
Furthermore, HP Wolf Security observed bad actors resorting to HTML smuggling techniques to drop the XWorm remote access trojan (RAT) by means of an AutoIt dropper. This technique was eerily reminiscent of prior campaigns that distributed AsyncRAT in a similar fashion.
The activity points to the growing use of GenAI in initial access and malware delivery stages of attack chains. GenAI has proven to be a game-changer for cybercriminals, allowing them to create variations of attacks that can scale more easily and increase their infection rates. This is attributed to its ability to generate code at an unprecedented rate.
As the threat landscape continues to evolve, it becomes increasingly imperative for individuals and organizations alike to remain vigilant and take proactive measures to protect themselves against such attacks. One of the most effective ways to do this is by staying abreast of the latest security research and updates from reputable sources such as HP Wolf Security.
In conclusion, image-based malware attacks are a growing concern that requires immediate attention from cybersecurity experts and enthusiasts alike. As the threat actors continue to evolve their tactics, it is essential for defenders to stay ahead of the curve, developing new strategies and tools to counter these emerging threats effectively.
Related Information:
https://thehackernews.com/2025/01/hackers-hide-malware-in-images-to.html
https://news.hackreports.com/hackers-hide-malware-in-images-to-deploy-vip-keylogger-and-0bj3ctivity-stealer/
Published: Thu Jan 16 10:09:39 2025 by llama3.2 3B Q4_K_M
