The threat actor has been tracked down as TA558 It has been observed leveraging steganography as an obfuscation technique to deliver a wide range of malware such as Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm, among others.
“The group made extensive use of steganography by sending VBS, PowerShell code and RTF documents with an embedded exploit, inside images and text files,” Russian cybersecurity firm Positive Technologies said in a Monday report.
The campaign was codenamed SteganoAmor due to its reliance on steganography and choice of file names such as Greatloverstory.vbs and easytolove.vbs.
Most of the attacks targeted the industrial, service, public, power and construction sectors in Latin American countries, although companies located in Russia, Romania and Turkey were also identified.
The development comes as TA558 was also spotted distributing Venom RAT via phishing attacks targeting companies located in Spain, Mexico, United States, Colombia, Portugal, Brazil, Dominican Republic and Argentina.
It all starts with a phishing email containing a booby-trapped Microsoft Excel email attachment that takes advantage of a now-patched security flaw in Equation Editor (CVE-2017-11882) to download a Visual Basic script that, in its time, retrieve the next payload phase from paste[.]YES.
The obfuscated malicious code takes care of downloading two images from an external URL that is embedded with a Base64 encoded component that ultimately fetches and executes the Agent Tesla malware on the compromised host.
In addition to Agent Tesla, other variants of the attack chain have resulted in an assortment of malware such as FormBook, GuLoader, LokiBot, Remcos RAT, Snake Keylogger, and XWorm, designed for remote access, data theft, and payload delivery secondary.
Phishing emails are sent from legitimate but compromised SMTP servers to give the messages some credibility and minimize the chances of them being blocked by email gateways. Furthermore, TA558 was discovered to use infected FTP servers to organize the stolen data.
The disclosure comes amid a series of phishing attacks against government organizations in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan and Armenia with malware called LazyStealer to harvest credentials from Google Chrome.
Positive Technologies monitors the cluster of activity under the name Lazy Koala in reference to the name of the user (joekoala), who is said to control the Telegram bots that receive the stolen data.
That said, the victim’s geography and malware artifacts point to potential links to another hacker group monitored by Cisco Talos under the name YoroTrooper (aka SturgeonPhisher).
“The main tool of the group is a primitive thief, the protection of which helps to evade detection, slow down analysis, capture all stolen data and send it to Telegram, which has gained popularity among malicious actors from year to year,” he said security researcher Vladislav Lunin. he said.
The findings also follow a wave of social engineering campaigns designed to spread malware families such as FatalRAT and SolarMarker.