TA558 cybercrown group has recently significantly strengthened its harmful activity, attacking organizations worldwide using various types of malicious software. According to specialists from the Positive Technologies safety center, more than 320 attacks have been identified as being carried out by this group.
The TA558 group employs complex infection chains, utilizing tools like Agenttesla, Formbook, Remcos, and others. One notable aspect of their attacks is the use of steganography – concealing malicious code within images and text files.
These attacks usually start with phishing emails containing Microsoft Office documents exploiting the vulnerability of CVE-2017-11882. Despite the security flaw being patched in 2017, it continues to be a prime target for hackers due to the abundance of outdated Microsoft Office versions.
If an outdated version of Microsoft Office is present on the target’s computer, the exploit downloads a Visual Basic script, which then loads an image with hidden malicious code. Subsequently, the final malware is extracted from this image using PowerShell.
Interestingly, the documents and scripts in these attacks often have names related to love themes, such as “Greatlover.vbs,” “Easytolove.vbs,” and even “IaminlovewithsomeNeshecuteandtroandtruunolucKynotundanceatundance_HowMuchiloveherbutsallgreatwitwitwitwitworiamgivingyou.doc.” This has led researchers to dub the campaign “Steganoamor.”
Attackers frequently utilize legitimate cloud services like Google Drive for storing malicious files, enabling them to evade detection by antivirus tools. Stolen information is transferred via compromised legal FTP and SMTP servers to make the traffic appear less suspicious.
An analysis revealed that organizations in Latin America were the primary targets of these cybercriminals, although attacks were also recorded in North America and Western Europe. Victims span various economic sectors, including public institutions and private companies.
In one case, attackers sent an email with a malicious attachment disguised as an Excel document. Upon opening the file, the user unknowingly triggers a macro that downloads and executes the harmful Agenttesla program, capable of stealing data from browsers, mail clients, and remote access systems.
Due to the use of