The new campaign of the TA558 hack group is called SteganoAmor, as hackers use steganography and hide malicious code inside images. Positive Technologies specialists report that the group uses long attack chains that include various tools and malware, including: Agent Tesla, FormBook, Remcos, Lokibot, Guloader, SnakeKeylogger, XWorm, njRAT, EkipaRAT.
Positive Technologies experts have discovered attacks around the world that are associated with the TA558 group. According to the initial description of researchers from ProofPoint, TA558 is a small financial-oriented group that has attacked hotel and tourism organizations mainly in Latin America since 2018, but has also been seen attacking the North American region and Western Europe.
The group actively used steganography in the attacks investigated now: payload files (in the form of VBS and PowerShell scripts, RTF documents with a built - in exploit) were transmitted inside images and text files.
The researchers noted that most RTF documents and VB scripts had names such as greatloverstory.vbs, easytolove.vbs, iaminlovewithsomeoneshecuteandtrulyyoungunluckyshenotundersatnd_howmuchiloveh erbutitsallgreatwithtrueloveriamgivingyou.doc. That is, they were associated with the word "love", so the operation was called SteganoAmor.
Typically, TA558 attacks start with malicious emails containing supposedly harmless attachments (Excel and Word files). These documents exploit the vulnerability CVE-2017-11882, which was fixed back in 2017.
Malicious email
It is noteworthy that emails are sent from compromised SMTP servers to minimize the likelihood of blocking messages that end up coming from legitimate domains.
If the victim has an old version of Microsoft Office installed, the exploit will download the VBS script from the legitimate paste service[.]ee, which will be executed to get an image file (JPG) containing a base64-encoded payload.
Image used in the attack
The base64-encoded payload for the next stage of the attack contains a PowerShell command inside the script.
After that, the script decrypts the load from the image and downloads an additional load from the same URL, which is written in reverse string format (that is, vice versa). It is noted that the content is also an executable file encoded in base64, in an inverted form.
Malicious code inside a text file
In their report, experts note that sometimes TA558 uses different attack chains even for the same malware, not to mention different malware carriers. Hackers use malware such as Agent Tesla, Remcos, XWorm, LokiBot, GuLoader, FormBook, and Snake Keylogger.
As a result, the stolen information is sent to pre-hacked FTP servers, which attackers use as a management infrastructure so that traffic does not arouse suspicion.
In total, Positive Technologies specialists identified more than 320 attacks aimed at companies from 31 countries, including the United States, Germany, and India. Among the most affected industries are industry (21%), services (16%), public sector (16%), electric power (8%) and construction (8%).
Positive Technologies experts have discovered attacks around the world that are associated with the TA558 group. According to the initial description of researchers from ProofPoint, TA558 is a small financial-oriented group that has attacked hotel and tourism organizations mainly in Latin America since 2018, but has also been seen attacking the North American region and Western Europe.
The group actively used steganography in the attacks investigated now: payload files (in the form of VBS and PowerShell scripts, RTF documents with a built - in exploit) were transmitted inside images and text files.
The researchers noted that most RTF documents and VB scripts had names such as greatloverstory.vbs, easytolove.vbs, iaminlovewithsomeoneshecuteandtrulyyoungunluckyshenotundersatnd_howmuchiloveh erbutitsallgreatwithtrueloveriamgivingyou.doc. That is, they were associated with the word "love", so the operation was called SteganoAmor.
Typically, TA558 attacks start with malicious emails containing supposedly harmless attachments (Excel and Word files). These documents exploit the vulnerability CVE-2017-11882, which was fixed back in 2017.
Malicious email
It is noteworthy that emails are sent from compromised SMTP servers to minimize the likelihood of blocking messages that end up coming from legitimate domains.
If the victim has an old version of Microsoft Office installed, the exploit will download the VBS script from the legitimate paste service[.]ee, which will be executed to get an image file (JPG) containing a base64-encoded payload.
Image used in the attack
The base64-encoded payload for the next stage of the attack contains a PowerShell command inside the script.
After that, the script decrypts the load from the image and downloads an additional load from the same URL, which is written in reverse string format (that is, vice versa). It is noted that the content is also an executable file encoded in base64, in an inverted form.
Malicious code inside a text file
In their report, experts note that sometimes TA558 uses different attack chains even for the same malware, not to mention different malware carriers. Hackers use malware such as Agent Tesla, Remcos, XWorm, LokiBot, GuLoader, FormBook, and Snake Keylogger.
As a result, the stolen information is sent to pre-hacked FTP servers, which attackers use as a management infrastructure so that traffic does not arouse suspicion.
In total, Positive Technologies specialists identified more than 320 attacks aimed at companies from 31 countries, including the United States, Germany, and India. Among the most affected industries are industry (21%), services (16%), public sector (16%), electric power (8%) and construction (8%).
