SteganoAmor Malware Campaign

Overview

SteganoAmor is a malicious malware campaign orchestrated by the TA558 hacking group, employing steganography to embed malicious code within images. This technique disguises the malware within benign-looking files to evade detection by users and security software. TA558, active since 2018, primarily targets the hospitality and tourism sectors, especially in Latin America, though its operations have impacted various global regions.

Attack Vector

The SteganoAmor attacks commence with phishing emails that contain malicious attachments exploiting the CVE-2017-11882 vulnerability in Microsoft Office's Equation Editor. These documents trigger the download of a Visual Basic Script (VBS) that executes PowerShell code to retrieve an image file containing a base-64 encoded payload. This payload is subsequently executed to deploy various malware families onto the victim's system.

Malware Delivered

The campaign is known to deliver multiple types of malware, see all of the IoCs here.

Mitigation Strategies

Organizations are advised to take the following preventive measures:

1. Update and Patch: Ensure all systems, especially Microsoft Office, are updated to the latest versions to mitigate known vulnerabilities like CVE-2017-11882.
2. Email Security: Employ advanced email filtering solutions to detect and block phishing attempts.
3. Endpoint Protection: Use robust antivirus solutions with up-to-date definitions to detect and prevent malware infections.
4. Network Monitoring: Regularly monitor network traffic for unusual activities that may indicate C2 communications or data exfiltration.
5. User Training: Conduct regular security awareness training for employees to recognize phishing attempts and other malicious activities.

Sources

• New SteganoAmor attacks use steganography to target 320 orgs globally (Bleeping Computer)
• SteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world (Positive Technologies)

Conclusion

The SteganoAmor campaign by TA558 remains a significant threat due to its sophisticated use of steganography and a wide array of malware tools. By adopting comprehensive cybersecurity measures and maintaining vigilance in network and email security, organizations can mitigate the impact of such attacks.