April 16, 2024 at 10:36AM
Russian cybersecurity company, Positive Technologies, revealed that the threat actor TA558 is using steganography to distribute various malware like Agent Tesla, FormBook, and LokiBot. Termed SteganoAmor, the attacks mainly target Latin American sectors but have also impacted companies in Russia, Romania, and Turkey. The group is also deploying Venom RAT through phishing attacks.
Based on the meeting notes, the key takeaways are:
1. Threat actor TA558 is utilizing steganography to deliver a variety of malware including Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm.
2. The campaign, named SteganoAmor, primarily targets industrial, services, public, electric power, and construction sectors in Latin American countries, as well as companies in Russia, Romania, and Turkey.
3. TA558 is also deploying Venom RAT via phishing attacks targeting enterprises in various countries.
4. Phishing emails from TA558 are sent from legitimate-but-compromised SMTP servers to avoid email gateway detection.
5. Positive Technologies is tracking another activity cluster under the name Lazy Koala, targeting government organizations in several countries with a malware dubbed LazyStealer.
6. The findings also reveal social engineering campaigns to spread malware families like FatalRAT and SolarMarker.
Overall, the meeting notes highlight the sophisticated and widespread activities of threat actors using various tactics to deliver malware and conduct phishing attacks.