Stealthy Image Attack: Hackers Weaponize Photos to Spread Advanced VIP Keylogger Malware

Stealthy Image Attack: Hackers Weaponize Photos to Spread Advanced VIP Keylogger Malware

Sophisticated Malware Campaigns Leverage Image-Based Steganography

Recent investigations by HP Wolf Security have uncovered two distinct malware campaigns utilizing steganography to conceal malicious code within images hosted on Archive.org. These campaigns deploy VIP Keylogger and 0bj3ctivity Stealer through similar attack vectors.

Attack Methodology:
– Initial compromise begins with phishing emails disguised as business documents
– Malicious Excel files exploit CVE-2017-11882 (Equation Editor vulnerability)
– Attack chain involves VBScript and PowerShell scripts
– Images containing Base64-encoded malware are retrieved from Archive.org
– A .NET loader executes the final payload

VIP Keylogger Campaign:
– Targets sensitive data including keystrokes, clipboard content, and credentials
– Shows similarities to Snake Keylogger and 404 Keylogger
– Distributed through fake invoice and purchase order emails

0bj3ctivity Stealer Campaign:
– Delivered via malicious archive files
– Poses as quotation requests
– Uses similar delivery mechanism but different final payload

Additional Findings:
– Threat actors increasingly utilize malware kits for efficient attacks
– HTML smuggling techniques observed delivering XWorm RAT
– Evidence of GenAI usage in creating attack components
– Lumma Stealer malware distributed through fake gaming cheat tools on GitHub

The proliferation of accessible malware kits has lowered the barrier to entry for cybercriminals, enabling even novice actors to conduct sophisticated attacks.

Share This Article