More Steganography!

June 16, 2025, 2:54 p.m.

Description

A malicious Excel file using steganography was analyzed, revealing embedded XLS sheets and a complex infection chain. The file downloads an HTA file that creates a BAT file, which in turn generates and executes a VBS file. The VBS file fetches a VBA script that creates and runs a PowerShell script. The PowerShell script downloads an image containing a hidden payload delimited by specific tags. The payload is a Base64-encoded PE file, which is decoded and executed as a DLL. The final payload appears to be a Katz stealer. This analysis highlights the use of multiple file types and steganography techniques to evade detection.

External References

https://isc.sans.edu/diary/rss/32044
https://otx.alienvault.com/pulse/684da8c81baecf48b68eb91e
Tags
powershell
steganography
excel
base64
dll
vbs
katz stealer
hta
2025-06-14

Date

  • Created: June 14, 2025, 4:52 p.m.
  • Published: June 14, 2025, 4:52 p.m.
  • Modified: June 16, 2025, 2:54 p.m.

Attack Patterns

  • Katz stealer