TA558 Targets 300+ Organizations Globally Using Steganography

Cybersecurity threats continue to evolve, bringing more complex methods to the forefront. A good example is the recent SteganoAmor campaign (developed by the notorious hacking group TA558) that uses steganography to launch targeted attacks on 320 organizations worldwide from various industries and sectors.

SteganoAmor attacks by country (Source: Positive Technologies)

What is Steganography?

At its core, steganography involves hiding data within other non-suspicious data, making the malicious code nearly impossible to detect with conventional security measures. In the case of SteganoAmor, the attackers embed harmful scripts inside images attached to seemingly harmless emails.

How Does SteganoAmor Operate?

The process starts with an email equipped with an attached document (like an Excel or Word file) that appears entirely normal at first glance. These documents exploit a well-known vulnerability in Microsoft Office’s Equation Editor, identified as CVE-2017-11882, which was patched back in 2017. 

Sample document used in the campaign (Source: Positive Technologies)

Nevertheless, systems running outdated versions of Office are still at risk. Once the attachment is opened, it triggers a download of a Visual Basic Script (VBS) from a legitimate online service. This script is not just any script; it’s a precursor to more dangerous steps. 

It fetches an image file from the internet, which innocently hides a base-64 encoded payload, leading to the next phase of the malware delivery. Embedded within this image is PowerShell code that further downloads the real payload. 

The payload, hidden in a text file, is encoded using base64 in reverse order. After decoding and reversing the encoding, it transforms into an executable that starts the malware’s malicious operations.

The Types of Malware Delivered by SteganoAmor

TA558 does not stick to a single type of malware and deploys a variety of harmful programs like:

• AgentTesla is a spyware that logs keystrokes, steals credentials, and captures screenshots.

• FormBook tracks and logs keystrokes, steals credentials from browsers, and can execute commands remotely.

• Remcos enables remote control of the compromised system, can execute commands, capture keystrokes, and activate audio-visual surveillance tools.

• LokiBot, Guloader, Snake Keylogger, and XWorm are among the other malicious tools spread through this campaign, each with capabilities that pose serious threats to infected systems.

The malicious scripts and final payloads are often housed on reputable cloud services like Google Drive, which helps them bypass antivirus detection. Compromised legitimate FTP servers are used for command and control operations, disguising the malicious traffic as normal activities.

How to Stay Safe

The vulnerability exploited in the SteganoAmor attacks is not new and has been known for several years.  Updating Microsoft Office to a current version effectively neutralizes the threat posed by this particular campaign

This highlights the importance of regular software updates as a defense strategy against cyber threats. For the complete list of indicators of compromise (IoCs), check out this report from Positive Technologies.

Final Word

With over 320 documented attacks, primarily targeting entities in Latin America but with victims worldwide, the SteganoAmor campaign is a reminder of the sophistication and persistence of cybercriminals. Organizations are urged to update their software regularly and monitor their systems for any unusual activities