Hackers Disguise Malware in Pictures to Deploy VIP Keylogger and 0bj3ctivity Stealer

Jan 16, 2025 Ravie LakshmananMalware / Ransomware
Attackers had been observed hiding malicious code in screenshots to ship malware similar to VIP Keylogger and 0bj3ctivity Stealer as a part of separate campaigns. “In each campaigns, the attackers concealed adverse phrases from the photographs they posted to stay them secure[.]org, a record web hosting website online, and used the similar .NET scanner to arrange their ultimate bills,” HP Wolf Safety stated in its Q3 2024 Danger Insights Document shared with The Hacker Information. The place to begin is a fraudulent e mail that impersonates invoices and orders. customers to trick recipients into opening malicious attachments, similar to Microsoft Excel paperwork, which, when opened, exploit a recognized malicious program within the Equation Editor (CVE-2017-11882) downloading a VBScript record.

The script, however, is designed to come across and run a PowerShell script that retrieves a picture from the database.[.]org and generates Base64-encoded code, which is later transformed to a .NET executable and done. The .NET executable works as a loader to obtain VIP Keylogger from a given hyperlink and run it, permitting attackers to extract data from inflamed techniques, together with keystrokes, clipboard content material, screenshots, and credentials. VIP Keylogger stocks capability with Snake Keylogger and 404 Keylogger. A identical marketing campaign has been came upon to ship malicious information thru e mail. Those messages, which seem as textual content requests, are meant to trap guests to open a JavaScript record inside the archive that executes the PowerShell script. As prior to, the PowerShell script downloads a picture from a faraway server, generates Base64-encoded code inside of it, and runs the similar .NET-based loader. The exception is that the assault chain culminates in a referral to an identification thief referred to as 0bj3ctivity. The similarities between the 2 campaigns display that attackers are the usage of malware gear to support efficiency, whilst additionally decreasing the time and experience had to increase the assaults. HP Wolf Safety additionally stated it has observed malicious actors the usage of HTML hacking tactics to drop the XWorm faraway get entry to trojan (RAT) the usage of the AutoIt downloader, echoing a prior marketing campaign that dispensed AsyncRAT similarly. “After all, the HTML information contained data indicating that they had been written with the assistance of GenAI,” HP stated. “Those trends spotlight the expanding possible of GenAI within the early get entry to and supply levels of malware.”

“Certainly, the danger actors have the ability to get numerous advantages from GenAI, from expanding and making adjustments that may build up their an infection price, and make community defenders harder.” That is not all. Attackers had been seen developing GitHub repositories of pretend online game commercials and modding gear to deploy the Lumma Stealer malware the usage of a .NET dropper. “The campaigns analyzed supply additional proof of cyber crime,” stated Alex Holland, senior danger researcher at HP Safety Lab. “As anti-malware gear and codes are freely to be had, reasonably priced, and simple to make use of, even rookies with restricted enjoy and data can put in combination an efficient anti-malware resolution.”

Did you in finding this text attention-grabbing? Practice us on Twitter  and LinkedIn to learn extra of our content material.

Author: OpenAI