Father
Professional
- Messages
- 2,602
- Reaction score
- 831
- Points
- 113
What guided hackers when they came up with such unusual names for their malicious scripts?
The TA558 cybercrime group has recently significantly increased its malicious activity, attacking organizations around the world using various types of malicious software. Experts from the Positive Technologies found more than 320 attacks carried out by this group.
The TA558 group uses complex infection chains that include tools such as AgentTesla, FormBook, Remcos, and others. A distinctive feature of these hackers attacks is the use of steganography — hiding malicious code in images and text files.
Attacks start with phishing emails containing Microsoft Office documents that exploit the CVE-2017-11882 vulnerability. This security flaw was fixed back in 2017, but it still remains a popular target for hackers due to the presence of a huge number of non-updated copies of Microsoft Office.
If an outdated version of Microsoft Office is installed on your computer, the exploit downloads a Visual Basic script, which in turn downloads an image with embedded malicious code. Then, using PowerShell, the final malicious load is extracted from this image and executed.
It is noteworthy that the documents and scripts used in the attacks often had names related to love themes, such as "greatloverstory. vbs", "easytolove.vbs" и даже "iaminlovewithsomeoneshecuteandtrulyyoungunluckyshenotundersatnd_
howmuchiloveherbutitsallgreatwithtrueloveriamgivingyou.doc". That is why the researchers gave the campaign the name "SteganoAmor".
Attackers often use legitimate cloud services, such as Google Drive, to store malicious files, which helps them avoid detection by antivirus tools. Stolen information is transmitted through compromised legitimate FTP and SMTP servers, which makes traffic less suspicious.
The analysis showed that the main targets of cybercriminals were organizations from Latin America, although attacks were also recorded in North America and Western Europe. The victims include representatives of various economic sectors, including government agencies and private companies.
In one of the cases examined, attackers sent an email with a malicious attachment, disguising it as an Excel document. After opening the file, the user unwittingly runs a macro that downloads and executes AgentTesla malware. This program can steal data from browsers, email clients, and remote access systems.
Given the use of legitimate servers to spread phishing and the operation of C2 servers, experts strongly recommend that organizations carefully check emails with attachments, even if they come from well-known or government organizations.
The SteganoAmor campaign demonstrates that cyber threats are becoming more sophisticated and difficult to detect. It is important to regularly update antivirus programs and conduct security audits to identify and neutralize potential threats in a timely manner.
The TA558 cybercrime group has recently significantly increased its malicious activity, attacking organizations around the world using various types of malicious software. Experts from the Positive Technologies found more than 320 attacks carried out by this group.
The TA558 group uses complex infection chains that include tools such as AgentTesla, FormBook, Remcos, and others. A distinctive feature of these hackers attacks is the use of steganography — hiding malicious code in images and text files.
Attacks start with phishing emails containing Microsoft Office documents that exploit the CVE-2017-11882 vulnerability. This security flaw was fixed back in 2017, but it still remains a popular target for hackers due to the presence of a huge number of non-updated copies of Microsoft Office.
If an outdated version of Microsoft Office is installed on your computer, the exploit downloads a Visual Basic script, which in turn downloads an image with embedded malicious code. Then, using PowerShell, the final malicious load is extracted from this image and executed.
It is noteworthy that the documents and scripts used in the attacks often had names related to love themes, such as "greatloverstory. vbs", "easytolove.vbs" и даже "iaminlovewithsomeoneshecuteandtrulyyoungunluckyshenotundersatnd_
howmuchiloveherbutitsallgreatwithtrueloveriamgivingyou.doc". That is why the researchers gave the campaign the name "SteganoAmor".
Attackers often use legitimate cloud services, such as Google Drive, to store malicious files, which helps them avoid detection by antivirus tools. Stolen information is transmitted through compromised legitimate FTP and SMTP servers, which makes traffic less suspicious.
The analysis showed that the main targets of cybercriminals were organizations from Latin America, although attacks were also recorded in North America and Western Europe. The victims include representatives of various economic sectors, including government agencies and private companies.
In one of the cases examined, attackers sent an email with a malicious attachment, disguising it as an Excel document. After opening the file, the user unwittingly runs a macro that downloads and executes AgentTesla malware. This program can steal data from browsers, email clients, and remote access systems.
Given the use of legitimate servers to spread phishing and the operation of C2 servers, experts strongly recommend that organizations carefully check emails with attachments, even if they come from well-known or government organizations.
The SteganoAmor campaign demonstrates that cyber threats are becoming more sophisticated and difficult to detect. It is important to regularly update antivirus programs and conduct security audits to identify and neutralize potential threats in a timely manner.