TA558 Cybercriminals Exploit Images for Broad Malware Attacks

April 16, 2024

Positive Technologies has identified a new campaign by the threat actor known as TA558, which is deploying a range of malware through an innovative use of steganography. The malware includes Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm.

The group has been hiding VBSs, PowerShell code, and RTF documents with an embedded exploit inside images and text files. The campaign, named SteganoAmor due to its reliance on steganography and the choice of file names like greatloverstory.vbs and easytolove.vbs, has primarily targeted the industrial, services, public, electric power, and construction sectors in Latin American countries. However, companies in Russia, Romania, and Turkey have also been targeted.

In addition to this, TA558 has been observed deploying the Venom RAT malware through phishing attacks targeting companies in Spain, Mexico, the United States, Colombia, Portugal, Brazil, Dominican Republic, and Argentina. These attacks typically start with a phishing email containing a malicious Microsoft Excel attachment that exploits a security flaw (CVE-2017-11882) in Equation Editor to download a Visual Basic Script. This script then downloads the next-stage payload from paste[.]ee.

The malicious code downloads two images from an external URL that contain a Base64-encoded component. This component retrieves and executes the Agent Tesla malware on the infected host. Other versions of this attack have resulted in the delivery of an array of malware designed for remote access, data theft, and delivery of secondary payloads.

The phishing emails are sent from compromised SMTP servers to give them an appearance of legitimacy and increase the chances of bypassing email gateways. TA558 has also been found to use infected FTP servers to store the stolen data.

This report comes in the wake of a series of phishing attacks on government organizations in several countries with a malware called LazyStealer to harvest credentials from Google Chrome. Positive Technologies is tracking this activity under the name Lazy Koala. The malware artifacts and victim geography suggest possible connections to another hacking group tracked by Cisco Talos as YoroTrooper (aka SturgeonPhisher).

"The group's main tool is a primitive stealer, whose protection helps to evade detection, slow down analysis, grab all the stolen data, and send it to Telegram, which has been gaining popularity with malicious actors by the year," said security researcher Vladislav Lunin.

This discovery follows a surge of social engineering campaigns designed to spread malware families like FatalRAT and SolarMarker.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.