Cybercriminals have been caught embedding harmful code within images to distribute malware such as VIP Keylogger and 0bj3ctivity Stealer in two distinct attack campaigns.
“Both operations relied on concealing malicious scripts in images hosted on archive[.]org, a file-sharing platform, and used an identical .NET loader to execute the final malware payload,” stated HP Wolf Security in its Q3 2024 Threat Insights Report, shared with The Hacker News.
Attack Vector: From Phishing Emails to Malicious Images
The campaigns originate with phishing emails disguised as invoices or purchase orders, designed to entice recipients into opening booby-trapped attachments. These attachments, often Excel files, exploit a vulnerability in Microsoft’s Equation Editor (CVE-2017-11882) to deliver a malicious VBScript file.
The VBScript decodes and executes a PowerShell script, which downloads an image file from archive[.]org. This image contains Base64-encoded malicious code, which is extracted and transformed into a .NET executable to initiate the payload.
The payload, in one campaign, deploys VIP Keylogger, a sophisticated spying tool capable of harvesting extensive data, including:
- Keystrokes
- Clipboard activity
- Screenshots
- Login credentials
VIP Keylogger bears similarities to Snake Keylogger and 404 Keylogger, sharing overlapping functionalities.
A Parallel Campaign: Deployment of 0bj3ctivity Stealer
In a related campaign, attackers distribute malicious archive files via phishing emails that masquerade as quotation requests. These archives include JavaScript files that, once executed, launch a PowerShell script.
Similar to the first campaign, the PowerShell script retrieves an image containing Base64-encoded code. This code is then processed by the same .NET loader, ultimately delivering the 0bj3ctivity information stealer.
The usage of shared techniques and tools in both campaigns highlights the increasing adoption of malware kits by cybercriminals. Such kits streamline the attack process, reducing both the technical knowledge and time required to execute sophisticated operations.
Evolving Tactics: HTML Smuggling and GenAI
HP Wolf Security also identified HTML smuggling techniques employed by attackers to distribute the XWorm Remote Access Trojan (RAT) using an AutoIt-based dropper. This method mirrors earlier campaigns where AsyncRAT was delivered through similar mechanisms.
A notable revelation was the presence of GenAI-generated HTML files, underscoring the growing reliance on artificial intelligence to enhance malware campaigns. GenAI’s capabilities allow attackers to:
- Scale attacks efficiently
- Create diverse attack variations, increasing infection success rates
- Complicate attribution and detection efforts for security teams
Cybercrime Commodification: Malware Kits and Beyond
Adding to the threat landscape, researchers observed attackers leveraging GitHub repositories falsely promoting game cheats and modding tools. These repositories acted as a front for deploying the Lumma Stealer malware via a .NET-based dropper.
“This proliferation of malware-as-a-service underscores the commodification of cybercrime,” noted Alex Holland, principal threat researcher at HP Security Lab. “With affordable and user-friendly malware kits now widely accessible, even low-skilled individuals can assemble effective attack chains.”
Conclusion
The campaigns illustrate a troubling trend in the cybercrime ecosystem, where advanced techniques like image-based malware delivery, HTML smuggling, and AI-assisted tools are becoming mainstream. As such tactics become increasingly accessible, organizations must fortify their defenses and remain vigilant against evolving threats.
