Hackers hide malware in website images to evade detection.
Several groups are taking advantage of the same infection chain to distribute different information theft programs.
Experts have warned about a new tactic employed by cybercriminals that involves hiding malware within images hosted on reputable websites. A recent threat report from HP Wolf Security, based on the analysis of millions of endpoints, indicates that there are currently extensive active campaigns distributing two types of infostealers: VIP Keylogger and 0bj3ctivityStealer. By using similar techniques and loaders, researchers suggest that at least two groups are leveraging the same malware kits to carry out different attacks.
The attackers hide the malicious code in images from file hosting sites, such as archive.org, using the same loader to install the final payload. This technique allows them to evade detection, as the downloaded image files appear harmless when coming from reputable sites, thus bypassing network security.
The attack scheme typically begins with a phishing email falsely presented as a bill or purchase order. Attached to this email is usually an Excel document designed to exploit an old vulnerability in the Equation Editor (CVE-2017-11882), which allows for the download of a VBScript file.
Alex Holland, a senior threat researcher at HP Security Lab, mentions that phishing kits, along with generative artificial intelligence (GenAI) tools, have significantly simplified access to malware techniques, increasing the current risk: “This enables groups to focus on deceiving their targets and selecting the best payload, for instance, targeting gamers through malicious cheat repositories.”
According to the researchers, criminals are using GenAI to create malicious HTML documents. They also identified a remote access trojan (RAT) campaign called XWorm, which was initiated through HTML smuggling and contained malicious code designed to download and execute the malware. The loader appears to have been evidently written by AI, as it included detailed line-by-line descriptions and a specific design of the HTML page.
Both VIP Keylogger and 0bj3ctivityStealer are types of infostealer malware, whose function is to record and exfiltrate sensitive information, such as passwords, cryptocurrency wallet information, and other delicate files.
