
Recent investigations by HP Wolf Security have uncovered two distinct malware campaigns utilizing steganography to conceal malicious code within images hosted on Archive.org. These campaigns deploy VIP Keylogger and 0bj3ctivity Stealer through similar attack vectors.
Attack Methodology:
– Initial compromise begins with phishing emails disguised as business documents
– Malicious Excel files exploit CVE-2017-11882 (Equation Editor vulnerability)
– Attack chain involves VBScript and PowerShell scripts
– Images containing Base64-encoded malware are retrieved from Archive.org
– A .NET loader executes the final payload
VIP Keylogger Campaign:
– Targets sensitive data including keystrokes, clipboard content, and credentials
– Shows similarities to Snake Keylogger and 404 Keylogger
– Distributed through fake invoice and purchase order emails
0bj3ctivity Stealer Campaign:
– Delivered via malicious archive files
– Poses as quotation requests
– Uses similar delivery mechanism but different final payload
Additional Findings:
– Threat actors increasingly utilize malware kits for efficient attacks
– HTML smuggling techniques observed delivering XWorm RAT
– Evidence of GenAI usage in creating attack components
– Lumma Stealer malware distributed through fake gaming cheat tools on GitHub
The proliferation of accessible malware kits has lowered the barrier to entry for cybercriminals, enabling even novice actors to conduct sophisticated attacks.