Hackers hide malware into website images to go unnoticed

News
By
published

Multiple groups are using the same infection chain to deliver different infostealers

Trojan
(Image credit: wk1003mike / Shutterstock)
  • Researchers say criminals are hiding malware in images hosted on reputable websites
  • At least two different groups were seen deploying two types of infostealers
  • The campaigns abuse an ancient Excel flaw, HP Wolf Security claims

Hackers are hiding malware in website images to go unnoticed and compromise as many computers as possible, experts have warned.

A new Threat Insights Report from HP Wolf Security, based on data from millions of endpoints, claims there are currently large campaigns active spreading VIP Keylogger and 0bj3ctivityStealer. Since the same techniques and loaders are used in both, the researchers suspect two groups are using the same malware kits to deliver different payloads.

“In both campaigns, attackers hid the same malicious code in images on file hosting websites like archive.org, as well as using the same loader to install the final payload,” the researchers explained. “Such techniques help attackers circumvent detection, as image files appear benign when downloaded from well-known websites, bypassing network security like web proxies that rely on reputation.”

Throwing GenAI into the mix

The attack starts with a phishing email pretending to be an invoice, or purchase order. The attachment is usually an Excel document designed to exploit CVE-2017-11882, an ancient bug in the Equation Editor, to download a VBScript file.

Alex Holland, Principal Threat Researcher in the HP Security Lab, said phishing kits, paired with Generative AI (GenAI) tools, have significantly lowered the barrier to entry, exacerbating the ever-present risk of malware: “This allows groups to concentrate on tricking their targets and picking the best payload for the job – for instance by targeting gamers with malicious cheat repositories.”

Discussing GenAI, the researchers said miscreants are using it to create malicious HTML documents. They also identified an XWorm remote access trojan (RAT) campaign initiated by HTML smuggling, which contained malicious code that downloads and runs the malware.

The loader was quite obviously written by an AI, they added, since it included a line-by-line description and the design of the HTML page.

Both VIP Keylogger and 0bj3ctivityStealer are infostealer malware which record, and exfiltrate, sensitive information such as passwords, cryptocurrency wallet information, sensitive files, and more.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.