- Researchers say criminals hide malware in images hosted on reputable websites
- At least two different groups were seen deploying two types of information thieves.
- Campaigns Abuse Old Excel Flaw, HP Wolf Security Says
Hackers hide malware in website images to go undetected and compromise as many computers as possible, experts have warned.
A new Threat Insights report from HP Wolf Security, based on data from millions of endpoints, states that there are currently large active campaigns spreading VIP Keylogger and 0bj3ctivityStealer. Since both use the same techniques and loaders, researchers suspect that two groups are using the same malware kits to deliver different payloads.
“In both campaigns, the attackers concealed the same malicious code in images on file-hosting websites such as archive.org, as well as using the same loader to install the final payload,” the researchers explained. “These techniques help attackers evade detection as image files appear benign when downloaded from known websites, bypassing network security such as web proxy servers that rely on reputation.”
Throw GenAI into the mix
The attack begins with a phishing email posing as an invoice or purchase order. The attached file is typically an Excel document designed to exploit CVE-2017-11882, an old bug in the Equation Editor, to download a VBScript file.
Alex Holland, principal threat researcher at HP Security Lab, said phishing kits, combined with generative AI (GenAI) tools, have significantly lowered the barrier to entry, exacerbating the ever-present risk of malware: “This “It allows groups to focus on deceiving their targets and choosing the best payload for the job, for example, targeting players with malicious cheat repositories.”
Talking about GenAI, researchers said that bad actors are using it to create malicious HTML documents. They also identified an XWorm Remote Access Trojan (RAT) campaign initiated by HTML smuggling, which contained malicious code that downloads and executes the malware.
The uploader was obviously written by an AI, they added, as it included a line-by-line description and layout of the HTML page.
Both VIP Keylogger and 0bj3ctivityStealer are information-stealing malware that log and leak sensitive information such as passwords, cryptocurrency wallet information, sensitive files, and more.
