Vocabulary
| Phishing Email | A fake email designed to trick people into revealing sensitive information or downloading malware |
| Base64 Encoding | A method for encoding data as text. Often used to hide malicious code |
| Keylogger | Software that records everything a user types, often to steal sensitive information. |
| Remote Access Trojan (RAT) | Malware that gives attackers control of a victim’s computer. |
| HTML Smuggling | A technique where attackers use HTML code to secretly deliver malware. |
| Generative AI (GenAI) | AI tools that can create new content, such as text or code. |
| Malware Kit | A ready-made set of tools for creating and deploying malware. |
Article:
Threat actors are using hidden code in images to spread malware like VIP Keylogger and 0bj3ctivity Stealer. These campaigns were described in HP Wolf Security’s Q3 2024 Threat Insights Report.
Attackers start by sending phishing emails pretending to be invoices or purchase orders. These emails contain malicious Microsoft Excel files. When opened, the files exploit a vulnerability in Equation Editor (CVE-2017-11882) to run a script. This script downloads an image from a file-hosting site, archive[.]org, that contains hidden code. The code is decoded into a program that installs malware like VIP Keylogger, which steals data such as keystrokes, screenshots, and passwords.
A similar campaign uses fake archive files in phishing emails. These files contain JavaScript that runs a PowerShell script to download and decode malware from an image. In this case, the malware is 0bj3ctivity, another data stealer.
Threat actors are also using HTML smuggling to deliver XWorm remote access trojan (RAT) via an AutoIt dropper. Some of these campaigns appear to use generative AI (GenAI) to create malicious code, making attacks more scalable and harder to detect.
Additionally, attackers have created fake GitHub repositories offering video game cheat tools, which instead deliver malware called Lumma Stealer using a .NET dropper. The rise of easy-to-use malware kits has made it simpler for inexperienced attackers to create effective attacks.
Questions:
What are phishing emails, and how do attackers use them in these campaigns?
How do attackers hide malicious code in images?
What types of data can VIP Keylogger steal from infected systems?
What role does PowerShell play in these attacks?
How are generative AI tools (GenAI) helping threat actors?
What is the purpose of fake GitHub repositories in these campaigns?
Discussion Questions
Why do you think attackers often use file-hosting services like archive[.]org?
How can organizations better protect themselves from phishing attacks?
What are the risks of using generative AI in cyberattacks, and how can it be controlled?
What challenges do “malware kits” pose for cybersecurity professionals?
How can everyday users identify and avoid falling for phishing emails?
Do you think stricter regulations on file-hosting platforms or repositories like GitHub could reduce these threats? Why or why not?
Source: this article was created from The Hackernews
English