- Researchers say criminals hide malware in images hosted on reputable websites
- At least two different groups have been seen deploying two types of information stealers.
- Campaigns are abusing an old Excel flaw, says HP Wolf Security
Hackers are hiding malware in website images to go unnoticed and compromise as many computers as possible, experts have warned.
A new Threat Insights report from HP Wolf Security, based on data from millions of endpoints, claims that there are currently large active campaigns spreading VIP Keylogger and 0bj3ctivityStealer. Since the same techniques and loaders are used in both cases, researchers suspect that two groups are using the same malware kits to deliver different payloads.
“In both campaigns, the attackers hid the same malicious code in images on file-hosting websites like archive.org, and also used the same loader to install the final payload,” the researchers explained . “Such techniques help attackers bypass detection because image files appear harmless when downloaded from well-known websites, bypassing network security like web proxies that rely on reputation. »
Incorporating GenAI into the mix
The attack begins with a phishing email masquerading as an invoice or purchase order. The attachment is usually an Excel document designed to exploit CVE-2017-11882, an old Equation Editor bug, to download a VBScript file.
Alex Holland, senior threat researcher at HP Security Lab, said phishing kits, combined with Generative AI (GenAI) tools, have significantly lowered the barrier to entry, exacerbating the ever-present risk of malware: “ This allows groups to focus on deception. their targets and choosing the best payload for the job – for example targeting players with malicious cheat repositories.
About GenAI, researchers said that miscreants are using it to create malicious HTML documents. They also identified an XWorm Remote Access Trojan (RAT) campaign launched by HTML smuggler, which contained malicious code that downloaded and executed the malware.
The loader was obviously written by an AI, they added, since it included a line-by-line description and the design of the HTML page.
VIP Keylogger and 0bj3ctivityStealer are infostealer malware that records and exfiltrate sensitive information such as passwords, cryptocurrency wallet information, sensitive files, etc.
