Threats

TA558's "SteganoAmor" Uses Steganography Targeting Unpatched MS Office Apps

Steganography is the practice of concealing a message or digital data or other information within another medium, typically an image,  such that the hidden information is undetectable to an observer. Unlike cryptography, which focuses on making a message unintelligible to unauthorized parties, steganography aims to hide the message rather than simply making it impossible to read.

Steganography dates back to ancient times, with early examples including the use of invisible ink or hiding messages within wax tablets. Other techniques include writing secret messages on the underside of postage stamps or encoding information in the patterns of knitting.

Digital steganography takes advantage of the vast array of multimedia files available, including images, audio, video, and can even use plaintext files. Modern steganographic techniques embed data within the least significant bits of digital files or exploit imperceptible variations in color, sound, or timing. In cyber attack operations, steganography can allow attackers to covertly transmit stolen data or malware via seemingly innocent files.

Overall, steganography poses a significant challenge to cybersecurity professionals due to its ability to conceal malicious activities and evade detection. As cyber threats continue to evolve, understanding and mitigating the risks associated with steganography remains crucial for safeguarding digital assets and sensitive information.

Here are ways that attackers can leverage steganography to support malicious goals:

  • Covert Communication: Cybercriminals may use steganography to communicate surreptitiously within seemingly harmless files, such as images or documents. By embedding sensitive information within these files, they can evade detection by traditional security measures.

  • Data Exfiltration: Steganography can also be used to exfiltrate sensitive data from a compromised system without raising suspicion. Attackers may hide stolen information within seemingly innocuous files and then transmit them through legitimate channels, bypassing network monitoring and detection mechanisms.

  • Malware Distribution: Malicious actors may embed malware payloads within seemingly legitimate files using steganography techniques. By hiding malware within images or documents, attackers can evade antivirus detection and increase the chances of successful infection.

SteganoAmor: An Emerging Threat

SteganoAmor attacks start with deceptive phishing or malspam emails that contain Microsoft Office files such as Excel or Word documents. These malicious attachment files exploit CVE-2017-11882, a high severity remote code execution (RCE) vulnerability in a vulnerability in Microsoft Office that has been patched since 2017. A proof-of-concept for CVE-2017-11882 has existed since 2017, and this new campaign highlights the importance of promptly installing security updates. 

When files trojanized with SteganoAmor are opened by the victim, they download a Visual Basic Script (VBS) - typically from a seemingly legitimate cloud drive service such as Google Drive. This script then retrieves an image file (JPG) containing a secret payload encoded in base64 format, and extracts the payload, and executes the contained malware. In this case, steganography plays a significant role in hiding the malicious code from content filters attempting to identify malware.

The SteganoAmor acts as a first stage loader for various other malicious malware strains, including AgentTesla spyware for keylogging and credential theft, FormBook infostealer adept at harvesting credentials and executing files, Remcos remote access tool enabling control of compromised machines, LokiBot infostealer targeting sensitive information, Guloader downloader aiding in evading antivirus detection, Snake Keylogger for data theft via keystroke logging and screenshots, and XWorm Remote Access Trojan granting attackers control over compromised computers for executing commands and accessing sensitive information.

Who is the TA558 Hacking Group?

The TA558 hacking group (also known as the "TA505"), is a prolific cyber criminal organization attributed with the recent SteganoAmor attacks.  TA558 is known for conducting large-scale and highly orchestrated attacks primarily focused on financial institutions, retail businesses, and hospitality sectors. The group has been active since at least 2014.

Some key characteristics and activities associated with the TA558 hacking group include:

  • Malware Campaigns: TA558 is known for launching extensive malware campaigns, often distributing banking Trojans, ransomware, and other types of malicious software. Their malware of choice includes variants of the Dridex banking Trojan, Locky ransomware, the FlawedAmmyy remote access tool (RAT), and Clop Ransomware among others.

  • Email-Based Attacks: The group frequently employs sophisticated phishing and email-based attacks to distribute malware payloads. These attacks typically involve the use of socially engineered emails containing malicious attachments or links designed to trick recipients into downloading and executing malware.

  • Targeted Exploitation: TA558 has been observed exploiting vulnerabilities in popular software applications, including Microsoft Office, to deliver malware to targeted organizations. They often leverage known vulnerabilities to increase the effectiveness of their attacks.

  • Large-Scale Operations: The group has conducted numerous large-scale campaigns targeting organizations worldwide. Their operations have resulted in significant financial losses for affected businesses and individuals.

  • Affiliate Model: There is evidence to suggest that TA558 operates on an affiliate model, wherein they recruit and collaborate with other cybercriminals to carry out their attacks. This model allows them to scale their operations and diversify their tactics.

Conclusion

The TA558 hacking group, also known as TA505, is behind the emergence of SteganoAmor attacks, leveraging steganography to conceal malware within seemingly harmless files. Exploiting victims who have not patched a 2017 vulnerability in Microsoft Office, they distribute trojanized documents via phishing emails, that includes malware to retrieve a JPG image containing a covertly encoded payload. 

This payload executes the second stage of cyber attack, evading detection by content filters to deploy a range of already well known ransomware strains as well as keyloggers and other stealer malware.

Looking for more cybersecurity updates and news? Sign up for our informational zero-spam newsletter.

Let's Connect

Share your details, and a member of our team will be in touch soon.

Featured Posts

See All
Packetlabs: One of the Top 5 Best Penetration Testing Companies

December 25 - Blog

Packetlabs: One of the Top 5 Best Penetration Testing Companies

It's official: Packetlabs has been recognized as one of the top penetration testing companies in 2024 on review platform Clutch.

December 10 - Blog

Hardware Token Protocols

Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

Packetlabs Company Logo
    • Toronto | HQ
    • 401 Bay Street, Suite 1600
    • Toronto, Ontario, Canada
    • M5H 2Y4
    • San Francisco | HQ
    • 580 California Street, 12th floor
    • San Francisco, CA, USA
    • 94104