New Steganographic Campaign Distributing Multiple Malware Variants
March 18, 2025, 9:58 a.m.
Description
A sophisticated steganographic campaign has been observed distributing multiple stealer malware variants, including Remcos, DcRAT, AgentTesla, and VIPKeyLogger. The infection chain begins with a phishing email containing an Excel file that exploits CVE-2017-0199. This leads to the download of an HTA file, which in turn downloads a VBS script. The script retrieves a JPG file concealing base64-encoded malware. The payload is then injected into legitimate processes using process hollowing techniques. The campaign demonstrates advanced evasion methods and the potential to deploy various remote access trojans, highlighting the need for robust cybersecurity practices.
Tags
Date
- Created: March 17, 2025, 6:17 p.m.
- Published: March 17, 2025, 6:17 p.m.
- Modified: March 18, 2025, 9:58 a.m.
Indicators
- faed55ed0102b1b2e3d853e8633abecbb9cec6a5f41c630097d8eaeefafba060
- f67c6341bfe37f5b05c00a0dda738f472fdabd6ea94ca8dc761f57f11ce12036
- b8fc29c02005c84131f34de083c2e81cdf615ff405877f9e73400bf35513c053
- b2e8f720740bbd46f6ae3f450f265ace1044fe232141fbd84f269eafeb290812
- aed291c023c3514fb97b4e08e291e03f52de91a2a8d311491b4ab8299db0aa0f
- 9d66405aebff0080cc5d28a1684d501fa7e183dc8b6340475fc06845509cb466
- 42813b301da721c34ca1aca29ce2e4c7d71ae580b519a3332a4ba71870b6a58e
- a582e7e5b3ac37895e7cf484aaa8ea477deb90d99b47b2d9bfc018c604573889
- 2d4ab87f9ea104075d372f4c211b1fb89adec60208d370b8fb2d748e1a73186c
- https://watchonlinehotvideos.top/omfg.jpg]
- interestedthingsforkissinggirlwithloves.duckdns.org
- freebirdkissingonmylipswithnicefeelings.duckdns.org
- watchonlinehotvideos.top
Attack Patterns
- VIPKeyLogger
- Remcos
- DcRAT
- AgentTesla
- AsyncRAT
- T1036.004
- T1547.001
- T1614
- T1055
- T1204
- T1027
- T1041
- T1566
- CVE-2017-0199