SteganoAmor Attack Operation Uses Images to Spread Malware

foudre malware

The threat group known as TA558 has been observed employing steganography, a technique of concealing data within images and text files, to distribute various types of malware including Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm.

Russian cybersecurity firm Positive Technologies reported on Monday that TA558 extensively uses steganography, embedding malicious scripts and documents inside images and text files with filenames such as greatloverstory.vbs and easytolove.vbs. This campaign, dubbed SteganoAmor, primarily targets industries like industrial, services, public, electric power, and construction sectors in Latin American countries, although companies in Russia, Romania, and Turkey have also been affected.

Other Attacks Linked to Threat Actor TA558

TA558 has also been observed deploying Venom RAT through phishing attacks targeting enterprises in Spain, Mexico, the United States, Colombia, Portugal, Brazil, Dominican Republic, and Argentina. These attacks typically begin with phishing emails containing Microsoft Excel attachments exploiting a patched security flaw (CVE-2017-11882) to download a Visual Basic Script, ultimately leading to the execution of Agent Tesla malware. In addition to Agent Tesla, the attack chain may also deliver FormBook, GuLoader, LokiBot, Remcos RAT, Snake Keylogger, and XWorm, all designed for remote access, data theft, and secondary payload delivery.

To enhance credibility and evade email gateways, TA558 sends phishing emails from compromised SMTP servers, and it uses infected FTP servers to store stolen data. Meanwhile, another group, referred to as Lazy Koala by Positive Technologies, has been targeting government organizations in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia with a malware known as LazyStealer, aimed at harvesting Google Chrome credentials.

This activity suggests potential connections to another hacking group, YoroTrooper (also known as SturgeonPhisher), as identified by Cisco Talos, based on victim geography and malware artifacts.

By Zaib
April 17, 2024
Computer Security
English
April 17, 2024
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Softcnapp Potentially Unwanted Application

2 months ago

Error: Ox800VDS Pop-up Scam

23 days ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

9 months ago

Alrucs Service Trojan

14 days ago

Remor.xyz Browser Hijacker

12 days ago

Related Posts

Malware

DotRunpeX Uses Process Hollowing to Spread Further Malware

A new type of malware known as dotRunpeX is being used to spread various known malware types like Agent Tesla, Ave Maria, BitRAT, FormBook, LokiBot, NetWire, Raccoon Stealer, RedLine Stealer, Remcos, Rhadamanthys, and... Read more

March 22, 2023
Malware

OpcJacker Malware Uses Fake VPN to Spread

Since the second half of 2022, cybersecurity experts have identified a new form of malware that steals information called OpcJacker. According to researchers from Trend Micro, this malware can perform a variety of... Read more

April 4, 2023
Malware

FakeCrack Malware Spread Using Crack Sites

Cracked software is used as a lure to spread cryptostealers in a new malicious campaign dubbed FakeCrack. The malicious payloads used in the campaign comprise infostealer malware strains that are capable of stealing... Read more

June 13, 2022
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.