FOCUS MODE
EXTRACT IOC
Threat Research

What Is The New Steganographic Campaign Distributing Multiple Malware

Seqrite
What Is The New Steganographic Campaign Distributing Multiple Malware
This web content discusses a sophisticated steganographic malware campaign involving various stealer malware such as Remcos and AsyncRAT. The campaign employs multiple stages of infection beginning with a phishing email containing an exploit that leads to the downloading of malicious payloads. It emphasizes the need for robust cybersecurity practices to protect against such advanced threats. Affected: Remcos, AsyncRAT, phishing email users, cybersecurity sector

Keypoints :

  • The steganographic campaign distributes multiple types of malware, including Remcos and AsyncRAT.
  • The infection begins with a phishing email containing a malicious Excel file that exploits a vulnerability (CVE-2017-0199).
  • The initial infection leads to downloading an HTA file, which contains VBS code to execute further malicious actions.
  • Both Remcos and AsyncRAT are designed to steal information and maintain remote access on infected systems.
  • The malware uses masquerading techniques to disguise malicious scripts as legitimate processes.
  • Final payloads are injected into clean processes through process hollowing, which adds complexity to detection efforts.
  • The campaign highlights the importance of vigilance and cybersecurity measures against advanced malware tactics.

MITRE Techniques :

  • Initial Access (T1566) – Phishing emails are used to gain initial access.
  • Execution (T1204) – User execution of the malicious Excel file triggers the infection chain.
  • Persistence (T1547.001) – The malware utilizes registry run keys and startup folder to maintain persistence.
  • Defense Evasion (T1055) – Process injection is utilized to evade detection.
  • Defense Evasion (T1027) – The malware employs obfuscated files to hide its presence.
  • Defense Evasion (T1036.004) – Masquerading techniques are applied to disguise malware as legitimate tasks or services.
  • Discovery (T1614) – The malware discovers system locations for further exploitation.
  • Exfiltration (T1041) – Malware exfiltrates data over command-and-control channels.
  • Command and Control (T1001.0012) – Steganography is used for command and control communications.

Indicator of Compromise :

  • [SHA-256] 9d66405aebff0080cc5d28a1684d501fa7e183dc8b6340475fc06845509cb466
  • [SHA-256] 42813b301da721c34ca1aca29ce2e4c7d71ae580b519a3332a4ba71870b6a58e
  • [SHA-256] f67c6341bfe37f5b05c00a0dda738f472fdabd6ea94ca8dc761f57f11ce12036
  • [Domain] interestedthingsforkissinggirlwithloves[.]duckdns[.]org
  • [C2 IP] 148[.]113[.]214[.]176

Full Story: https://www.seqrite.com/blog/steganographic-campaign-distributing-malware/

Tags: INITIAL ACCESS, PERSISTENCE, CVE, TROJAN, EMAIL, PHISHING, EXPLOIT, DISCOVERY