Unveiling the New SteganoAmor Attacks

In the realm of cybersecurity, the use of steganography to conceal malicious code has taken a sinister turn with the emergence of the New SteganoAmor attacks. These attacks, orchestrated by the notorious TA558 hacking group, have targeted 320 organizations globally, highlighting the evolving landscape of cyber threats.

History of Steganography and stegnoAmor

Steganography, the ancient art of hiding information, has transitioned into the digital age, becoming a potent tool for cybercriminals. The rise of SteganoAmor signifies a new chapter in the utilization of steganography for malicious purposes, posing a significant challenge to cybersecurity experts worldwide.

SteganoAmor attacks refer to a type of cyberattack that uses steganography to hide malicious data within seemingly innocuous files, particularly images. The attackers exploit the large number of bits or pixels in an image to replace them with malware codes. 

This technique is used to evade security scans, obtain persistence, and deploy malware, which can infect the targeted system when the victim clicks the malicious image. Steganography attacks can be conducted through various media, including text, images, audio, and video.

Attacks Strategy

In the initial stages of this attack, phishing tactics are often employed to lure unsuspecting users into divulging sensitive information or downloading malware. These tactics align with the MITRE ATT&CK techniques SpearPhishing Attachment (T1566.001) or SpearPhishing Link (T1566.002).

SpearPhishing is a targeted form of phishing, where a specific individual, company, or industry is targeted by the adversary. This can be carried out via emails containing malicious attachments or links, which, when opened, can execute malicious code on the victim's system or steal credentials for use in valid accounts. 

If the attack is through a malicious attachment, the exploit CVE-2017-11882 is used to download the payload. On the other hand, if the attack is through a link, the user downloads an archive containing malicious content and executes it, triggering the payload download. This aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203).

For example, clicking the link in the email redirects to some domain, where an archive is downloaded. Inside, a VBS file with a long, deceptive file name is found. When a malicious document is used, the VBS file is downloaded and executed automatically through the CVE-2017-11882 exploit, requiring the user only to open the Microsoft Office file.

The VBS script is responsible for fetching the next stage of the attack. It is executed using wscript. The VBS script is heavily obfuscated and bloated to make analysis challenging.It's essential to have robust security measures in place to prevent such attacks. 

When an outdated version of Microsoft Office is present, a vulnerability can be exploited to retrieve a Visual Basic Script (VBS) from the legitimate 'paste upon opening the file. ee' service. This script is subsequently activated to retrieve an image file (JPG) that holds a payload encoded in base-64.

The PowerShell script embedded within the image file is responsible for fetching the ultimate payload, which is concealed within a text file and encoded in reverse base64 format.

This includes restricting downloads of suspicious files, providing legitimate software with dedicated development teams, and educating employees about the risks these downloads pose. 

Mitigation

To mitigate this vulnerability, it is recommended to update Microsoft Office to a more recent version that has fixed this vulnerability. This will prevent attackers from exploiting the buffer overflow error in the Equation Editor and gaining control of the victim's computer.

CVE Information

CVE-2017-11882

High

Description: A vulnerability known as "Microsoft Office Memory Corruption Vulnerability" exists in Microsoft Office versions 2007 SP3, 2010 SP2, 2013 SP1, and 2016. This flaw could enable an attacker to execute arbitrary code within the current user's context due to improper handling of objects in memory. It is distinct from CVE-2017-11884.

CVE Version 3.0	CVSS Version 2.0
Base Score: 7.8	Base Score: 9.3
Severity: High	Severity: High
Vector:CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	Vector:AV:N/AC:M/Au:N/C:C/I:C/A:C
Attack Vector (AV): Local	Access Vector (AV): Network
Attack Complexity (AC): Low	Access Complexity (AC): Medium
Previliges Required (PR): None	Authentication (A): None
User Interaction (UI): Required	Confidentiality (C): Complete
Scope(S): Unchanged	Integrity (I): Complete
Confidentiality (C): High	Availability (A): Complete
Integrity (I): High
Availability (A): High

Conclusion

The emergence of SteganoAmor attacks, orchestrated by the TA558 hacking group, represents a significant evolution in cyber threats, utilizing steganography to conceal malicious code within images. These attacks exploit vulnerabilities like CVE-2017-11882, targeting organizations globally through phishing tactics and payload delivery mechanisms. To combat such threats, it is crucial to update software, enhance security measures, and educate users to prevent the execution of malicious scripts embedded in seemingly harmless files, safeguarding against the infiltration of sophisticated cyberattacks.

Related Articles

• NVD - CVE-2017-11882 (nist.gov)

• New SteganoAmor attacks use steganography to target 320 orgs globally (bleepingcomputer.com)