SteganoAmor Attack Operation Uses Images to Spread Malware
The threat group known as TA558 has been observed employing steganography, a technique of concealing data within images and text files, to distribute various types of malware including Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm.
Russian cybersecurity firm Positive Technologies reported on Monday that TA558 extensively uses steganography, embedding malicious scripts and documents inside images and text files with filenames such as greatloverstory.vbs and easytolove.vbs. This campaign, dubbed SteganoAmor, primarily targets industries like industrial, services, public, electric power, and construction sectors in Latin American countries, although companies in Russia, Romania, and Turkey have also been affected.
Other Attacks Linked to Threat Actor TA558
TA558 has also been observed deploying Venom RAT through phishing attacks targeting enterprises in Spain, Mexico, the United States, Colombia, Portugal, Brazil, Dominican Republic, and Argentina. These attacks typically begin with phishing emails containing Microsoft Excel attachments exploiting a patched security flaw (CVE-2017-11882) to download a Visual Basic Script, ultimately leading to the execution of Agent Tesla malware. In addition to Agent Tesla, the attack chain may also deliver FormBook, GuLoader, LokiBot, Remcos RAT, Snake Keylogger, and XWorm, all designed for remote access, data theft, and secondary payload delivery.
To enhance credibility and evade email gateways, TA558 sends phishing emails from compromised SMTP servers, and it uses infected FTP servers to store stolen data. Meanwhile, another group, referred to as Lazy Koala by Positive Technologies, has been targeting government organizations in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia with a malware known as LazyStealer, aimed at harvesting Google Chrome credentials.
This activity suggests potential connections to another hacking group, YoroTrooper (also known as SturgeonPhisher), as identified by Cisco Talos, based on victim geography and malware artifacts.