With an aim to steal employee credentials, cybercrooks are aiming at organizations in the industrial sector and targeting them in sophisticated attacks.

Why such a hoo-ha?

  • According to Kaspersky’s ICS CERT team, hackers targeted industrial suppliers in Japan, Italy, the UK, and Germany in highly-targeted attacks.
  • Through these attacks, cybercriminals delivered spearphishing emails containing Microsoft Office documents with malicious macro codes to execute PowerShell scripts.
  • This technique is called steganography, which the attackers used to dodge detection and control tools that would circumvent malicious downloads.

There’s more to dig

  • By creating messages and documents in specific languages, the attackers discovered the geographical locations of the targets.
  • The purpose of the initial PowerShell script is to download an image from randomly chosen addresses on Imgur or Imgbox hosting services and extract the payload.
  • The concealed payload in the image is encoded using Base64, encrypted with RSA, and again encoded with Base64. An intentional error in the script creates an exception message, which is the decryption key. The exception message depends on the language used by the target’s operating system.
  • The data hidden in the images decrypts to another PowerShell script that reveals a type of Mimikatz open-source application for obtaining access credentials on Windows.

Steganography is not new

  • In August 2019, Trend Micro observed a LokiBot variant using steganography when it alerted a Southeast Asian company about a possible threat. The company received an email enclosing an attachment allegedly from an Indian confectionery company.
  • The UK-based security firm, Sophos, discovered a  botnet, dubbed MyKingz, that used steganography techniques to conceal a malicious .exe file inside an image of pop singer Taylor Swift in 2019.
  • A security researcher from Bromium discovered ransomware embedded in a downloadable Super Mario image in 2019...Using steganography, the hackers sent emails enclosed with spreadsheets that had malware and a macro embedded in it. 

Why should you care?

By employing steganography and public image hosting services, threat actors can easily bypass network security solutions and let their payload go undetected. The custom exception message evades an automatic analysis of the malware…Avoiding steganographic attacks begins with blocking initial access. Shielding against attack vectors by training employees to detect suspicious messages is an essential step toward an improved security approach.

Cyware Publisher