TA558黑客利用图像进行大规模恶意软件攻击

The threat actor tracked as TA558 has been observed leveraging steganography as an obfuscation technique to deliver a wide range of malware such as Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm, among others.

威胁行为者 TA558 被发现利用隐写术作为一种混淆技术，用于传递各种恶意软件，如 Agent Tesla、FormBook、 Remcos RAT、 LokiBot、 GuLoader、 Snake Keylogger 和 XWorm 等。

"The group made extensive use of steganography by sending VBSs, PowerShell code, as well as RTF documents with an embedded exploit, inside images and text files," Russian cybersecurity company Positive Technologies said in a Monday report.

俄罗斯网络安全公司 Positive Technologies 在周一的报告中表示：“该组织广泛利用隐写术，将 VBS、PowerShell 代码以及带有内嵌漏洞的 RTF 文档藏在图像和文本文件中。”

The campaign has been codenamed SteganoAmor for its reliance on steganography and the choice of file names such as greatloverstory.vbs and easytolove.vbs.

该活动被命名为 SteganoAmor，因为它依赖隐写术并选择诸如 greatloverstory.vbs 和 easytolove.vbs 等文件名。

A majority of the attacks have targeted industrial, services, public, electric power, and construction sectors in Latin American countries, although companies located in Russia, Romania, and Turkey have also been singled out.

大多数攻击针对拉丁美洲国家的工业、服务、公共、电力和建筑部门，尽管俄罗斯、罗马尼亚和土耳其的公司也成为目标。

The development comes as TA558 has also been spotted deploying Venom RAT via phishing attacks aimed at enterprises located in Spain, Mexico, the United States, Colombia, Portugal, Brazil, Dominican Republic, and Argentina.

TA558 还被发现通过针对西班牙、墨西哥、美国、哥伦比亚、葡萄牙、巴西、多米尼加共和国和阿根廷的企业的网络钓鱼攻击部署 Venom RAT。

It all starts with a phishing email containing a booby-trapped email Microsoft Excel attachment that exploits a now-patched security flaw in Equation Editor (CVE-2017-11882) to download a Visual Basic Script that, in turn, fetches the next-stage payload from paste[.]ee.

一切都始于一封包含陷阱的 Microsoft Excel 附件的网络钓鱼邮件，利用了现已修补的 Equation Editor 安全漏洞 (CVE-2017-11882)，以下载一个 Visual Basic Script，然后从 paste[.]ee 获取下一个阶段的载荷。

The obfuscated malicious code takes care of downloading two images from an external URL that come embedded with a Base64-encoded component that ultimately retrieves and executes the Agent Tesla malware on the compromised host.

混淆的恶意代码负责从外部 URL 下载两个图像，这些图像包含一个 Base64 编码的组件，最终在受感染的主机上检索并执行 Agent Tesla 恶意软件。

Beyond Agent Tesla, other variants of the attack chain have led to an assortment of malware such as FormBook, GuLoader, LokiBot, Remcos RAT, Snake Keylogger, and XWorm, which are designed for remote access, data theft, and delivery of secondary payloads.

除 Agent Tesla 外，攻击链的其他变体导致一系列恶意软件，例如 FormBook、GuLoader、LokiBot、 Remcos RAT、 Snake Keylogger 和 XWorm，这些软件旨在实现远程访问、数据窃取和传递次级载荷。

The phishing emails are sent from legitimate-but-compromised SMTP servers to lend the messages a little credibility and minimize the chances of them getting blocked by email gateways. In addition, TA558 has been found to use infected FTP servers to stage the stolen data.

这些网络钓鱼邮件是从合法但受感染的 SMTP 服务器发送的，以使消息更具可信度，并最大程度地减少它们被电子邮件网关阻止的机会。此外，已发现 TA558 使用感染的 FTP 服务器来存储被盗数据。

The disclosure comes against the backdrop of a series of phishing attacks targeting government organizations in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia with a malware dubbed LazyStealer to harvest credentials from Google Chrome.

这一披露发生在一系列针对俄罗斯、白俄罗斯、哈萨克斯坦、乌兹别克斯坦、吉尔吉斯斯坦、塔吉克斯坦和亚美尼亚政府组织的网络钓鱼攻击背景下，这些攻击利用一种名为 LazyStealer 的恶意软件从 Google Chrome 中收集凭据。

Positive Technologies is tracking the activity cluster under the name Lazy Koala in reference to the name of the user (joekoala), who is said to control the Telegram bots that receive the stolen data.

Positive Technologies 正在跟踪该活动集群，命名为 Lazy Koala，以参考用户名称 joekoala，据称该用户控制接收被盗数据的 Telegram 机器人。

That said, the victim geography and the malware artifacts indicate potential links to another hacking group tracked by Cisco Talos under the name YoroTrooper (aka SturgeonPhisher).

话虽如此，受害者地理位置和恶意软件迹象表明可能与另一个由 Cisco Talos 跟踪的黑客组织有关，该组织被称为 YoroTrooper（又名 SturgeonPhisher）。

"The group's main tool is a primitive stealer, whose protection helps to evade detection, slow down analysis, grab all the stolen data, and send it to Telegram, which has been gaining popularity with malicious actors by the year," security researcher Vladislav Lunin said.

安全研究人员 Vladislav Lunin 表示：“该组织的主要工具是一种原始的窃取者，其保护有助于规避检测、减慢分析、获取所有被盗数据并将其发送到 Telegram，这种方式已经受到恶意行为者年复一年的青睐。”

The findings also follow a wave of social engineering campaigns that are designed to propagate malware families like FatalRAT and SolarMarker.

这些发现也跟随一波旨在传播诸如 FatalRAT 和 SolarMarker 等恶意软件系列的社会工程活动。

参考资料

[1]https://thehackernews.com/2024/04/ta558-hackers-weaponize-images-for-wide.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：TA558黑客利用图像进行大规模恶意软件攻击