Infosec Watchtower Logo

SteganoAmor Unmasked: How TA558 Uses Steganography to Spread Malware Globally

Charles M. Walls | April 16, 2024 | Views: 204

A digital artwork showing a hacker in a dark room, surrounded by screens displaying code and complex diagrams. The hacker is manipulating a digital image.

In a recent report from Russian cybersecurity firm Positive Technologies, a sophisticated cyber threat named TA558 has been identified for its use of steganography to conceal malware within seemingly innocuous files. This group embeds harmful payloads, such as Agent Tesla and LokiBot, within images and text files using VBS scripts, PowerShell code, and RTF documents that exploit vulnerabilities.

Dubbed SteganoAmor, this campaign employs romantic-sounding file names like greatloverstory.vbs to mask its malicious intent. It targets key industries across Latin America including the industrial and energy sectors, but also has reached businesses in Russia, Romania, and Turkey. The complexity of these attacks highlights an expanding geographical threat that includes multiple countries such as the U.S., Brazil, and several European nations.

The initial breach often begins with a phishing email that delivers a rigged Microsoft Excel file. This file exploits a known vulnerability (CVE-2017-11882) in the Equation Editor to launch a multi-stage attack. This starts with a Visual Basic Script from an online paste service, which then downloads encoded images containing malware like Agent Tesla, designed to steal data and infiltrate networks further.

Additionally, the phishing efforts are sophisticated, utilizing legitimate yet compromised SMTP servers to avoid detection by security gateways. The threat actor has also utilized infected FTP servers for data exfiltration, emphasizing the multifaceted nature of their operations.

This revelation is part of a broader surge in phishing activities targeting government bodies across Eastern Europe and Central Asia with malware such as LazyStealer, which is primarily focused on pilfering credentials from browsers like Google Chrome. Positive Technologies has named this activity cluster Lazy Koala, attributed to an operator managing data theft via Telegram bots.

The same report suggests connections to another group known as YoroTrooper, or SturgeonPhisher, which specializes in similar data theft tactics. Security expert Vladislav Lunin points out that these groups increasingly rely on messaging platforms like Telegram to manage stolen information, reflecting a trend in cybercriminal communication methods.

This series of disclosures underscores the ongoing challenge of social engineering attacks, which continue to evolve and spread sophisticated malware strains such as FatalRAT and SolarMarker, further complicating the cybersecurity landscape.

Source of Inspiration