April 15, 2024 at 04:36PM
TA558 hacking group’s “SteganoAmor” campaign uses steganography to conceal and deliver various malware tools, targeting hospitality and tourism organizations worldwide. The campaign involves sending malicious emails with document attachments exploiting a Microsoft Office vulnerability. This leads to the download of various malware families, including spyware, info-stealers, RATs, and downloaders. Over 320 attacks have been identified, primarily in Latin America.
Based on the meeting notes, here are the key takeaways:
1. TA558 hacking group has developed a new campaign called “SteganoAmor,” which uses steganography to hide malicious code in seemingly innocuous image and document files to deliver various malware tools onto targeted systems.
2. The campaign targets hospitality and tourism organizations worldwide, with a focus on Latin America, and has been uncovered by Positive Technologies, which observed over 320 attacks affecting various sectors and countries.
3. The attacks begin with malicious emails containing document attachments that exploit the CVE-2017-11882 flaw in Microsoft Office and lead to the download of a base-64 encoded payload hidden inside an image file, eventually delivering diverse malware families including AgentTesla, FormBook, Remcos, LokiBot, Guloader, Snake Keylogger, and XWorm.
4. The final payloads and malicious scripts are often stored in legitimate cloud services like Google Drive to evade antivirus detection, and stolen information is sent to compromised legitimate FTP servers used as command and control infrastructure.
5. Most of the attacks are focused in Latin American countries, but the targeting scope extends worldwide, and updating Microsoft Office to a more recent version can effectively defend against the SteganoAmor campaign.
For a complete list of indicators of compromise (IoCs), please refer to the report provided by Positive Technologies.