Malicious Code Hidden in Images to Deploy VIP Keylogger and 0bj3ctivity Stealer

January 16, 2025

Cyber criminals have been identified using a novel approach to deliver malware, hiding malicious code within images. This technique has been utilized in separate campaigns to deploy malware such as VIP Keylogger and 0bj3ctivity Stealer.

HP Wolf Security, in their Threat Insights Report for Q3 2024, noted that both campaigns involved attackers concealing malicious code in images uploaded to archive[.]org, a file-hosting website. The same .NET loader was used to install their final payloads.

The initial point of these attacks is a phishing email, disguised as invoices and purchase orders, designed to trick recipients into opening malicious attachments. These attachments, often Microsoft Excel documents, exploit a known security flaw, CVE-2017-11882, in Equation Editor to download a VBScript file.

This script is programmed to decode and execute a PowerShell script that retrieves an image hosted on archive[.]org and extracts a Base64-encoded code. This code is then decoded into a .NET executable and executed. The .NET executable acts as a loader to download VIP Keylogger from a specified URL and runs it, enabling the cyber criminals to steal a broad range of data from the compromised systems, including keystrokes, clipboard content, screenshots, and credentials. VIP Keylogger has functional similarities with Snake Keylogger and 404 Keylogger.

A similar campaign has been discovered to send malicious archive files to targets via email. These emails, masquerading as requests for quotations, are designed to entice recipients into opening a JavaScript file within the archive that then initiates a PowerShell script.

In a manner akin to the previous case, the PowerShell script downloads an image from a remote server, interprets the Base64-encoded code within it, and runs the same .NET-based loader. However, the attack chain in this case ends with the deployment of an information stealer named 0bj3ctivity.

The similarities between the two campaigns suggest that cyber criminals are using malware kits to enhance overall efficiency, while also reducing the time and technical expertise required to orchestrate the attacks. HP Wolf Security also noticed bad actors employing HTML smuggling techniques to deliver the XWorm remote access trojan (RAT) via an AutoIt dropper, mirroring previous campaigns that distributed AsyncRAT in a similar manner.

Threat actors have been observed creating GitHub repositories advertising video game cheat and modification tools to deploy the Lumma Stealer malware using a .NET dropper. Alex Holland, principal threat researcher in the HP Security Lab, noted that these campaigns demonstrate the increasing commodification of cybercrime, with malware kits becoming more accessible, affordable, and user-friendly, enabling even novices with limited skills and knowledge to assemble an effective infection chain.

Related News

• Cloud Atlas Targets Russia with VBCloud Malware
• Sidewinder APT Group Expands Geographic Reach in Latest Cyberattack Spree
• SideWinder Cyber Attacks Target Maritime Facilities Across Multiple Countries
• Kimsuky's TRANSLATEXT Chrome Extension: A New Tool for Data Theft
• Revived ValleyRAT Malware Exhibits Enhanced Data Theft Techniques

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed
• CISA Adds Apple's Flaw to Known Exploited Vulnerabilities Catalog
• Apple Patches First Actively Exploited Zero-Day Vulnerability of the Year
• Critical Security Flaw Identified in Meta's Llama Framework, Exposing AI Systems to Potential Remote Code Execution