Cybersecurity researchers have reported that threat actors are using images to conceal malicious code and distribute malware such as the VIP Keylogger and 0bj3ctivity Stealer. In two separate campaigns, attackers uploaded these images to archive[.]org, a file-hosting website, and employed the same .NET loader to execute their payloads. The initial attack vector starts with a phishing email masquerading as invoices or purchase orders, tricking recipients into opening malicious attachments like Microsoft Excel files. These attachments exploit a known vulnerability in Equation Editor (CVE-2017-11882) to download a VBScript file.
Once opened, the VBScript decodes and executes a PowerShell script that retrieves an image from archive[.]org. The Base64-encoded code embedded in the image is then decoded into a .NET executable and run. This executable serves as a loader, downloading and running the VIP Keylogger from a remote URL. The keylogger is capable of stealing various types of sensitive information, including keystrokes, clipboard content, screenshots, and credentials, with similar functionality to other well-known keyloggers like Snake and 404 Keylogger.
In the second campaign, attackers sent malicious archive files disguised as quotation requests.
In the second campaign, attackers sent malicious archive files disguised as quotation requests. These emails contained a JavaScript file that, when opened, triggered a PowerShell script. Similar to the first campaign, the script fetched an image, extracted and decoded Base64-encoded code, and executed the same .NET loader. The difference in this campaign is that it deployed the 0bj3ctivity information stealer, highlighting the actors’ use of different malware tools in successive attacks.
HP Wolf Security’s report also highlighted the growing trend of cybercriminals using malware kits to streamline their operations and reduce the level of technical expertise required. This includes the use of GenAI to create varied attack chains and improve their efficiency. Additionally, threat actors are leveraging platforms like GitHub to distribute malware such as Lumma Stealer through seemingly innocent video game cheat repositories. The increasing commodification of cybercrime has made it easier for even novice hackers to execute complex attacks.