Hackers Use Malware to Install 0bj3ctivity Stealer and VIP Keylogger by Hiding It in Pictures

During different campaigns, threat actors have been seen delivering malware like VIP Keylogger and 0bj3ctivity Stealer by hiding dangerous code in photos.

In its Q3 2024 Threat Insights Report, which was shared with The Hacker News, HP Wolf Security stated that "in both campaigns, attackers hid malicious code in images they uploaded to archive[.]org, a file-hosting website, and used the same.NET loader to install their final payloads."

Phishing emails that pose as purchase orders and invoices are the first step in the process. These emails deceive recipients into opening malicious attachments, like Microsoft Excel documents, using Equation Editor's known security issue (CVE-2017-11882) to download a VBScript file.

The script is made to decode and execute a PowerShell script that finds an archive[.]org picture and extracts a Base64-encoded code. This code is then decoded into a .NET executable and run.

The .NET executable enables threat actors to steal various data from compromised systems, such as credentials, screenshots, clipboard content, and keystrokes, by acting as a loader to download VIP Keylogger from a specified URL and execute it. Snake Keylogger, 404 Keylogger, and VIP Keylogger all have similar functions.

It has been discovered that a similar effort uses email to distribute malicious archive files to targets. By pretending to be requests for quotes, these messages try to trick users into clicking on a JavaScript file inside the archive, which then launches a PowerShell script.

The PowerShell script downloads an image from a distant server, parses the Base64-encoded code therein, and then launches the same .NET-based loader as in the previous example. What is different is that an information thief called 0bj3ctivity is used at the end of the assault chain.

The similarities between the two operations imply that threat actors are using malware kits to both increase overall effectiveness and reduce the amount of time and technical know-how required to create the attacks.

According to HP Wolf Security, it also saw malicious actors using HTML smuggling tactics to use an AutoIt dropper to distribute the XWorm remote access trojan (RAT), which is similar to previous campaigns that disseminated AsyncRAT.

"Notably, the HTML files bore hallmarks suggesting that they had been written with the help of GenAI," claimed HP. "The activity points to the growing use of GenAI in the initial access and malware delivery stages of the attack chain."

"Indeed, threat actors stand to gain numerous benefits from GenAI, from scaling attacks and creating variations that could increase their infection rates, to making attribution by network defenders more difficult."

And that's not all. To distribute the Lumma Stealer malware via a.NET dropper, threat actors have been observed setting up GitHub projects that promote video game cheat and modification tools.

"The campaigns examined offer additional proof of the commercialization of cybercrime," stated Alex Holland, Senior Threat Investigator at HP Security Lab. "As kits that use malware by numbers are more freely available, affordable, and easy to use, even novices with limited skills and knowledge can put together an effective infection chain."