[German]Currently, cybercriminals are using steganographic methods to deliver malicious PowerShell scripts via image files. The aim is to steal access data from employees of service companies in the industrial sector. German and European companies are among the victims of the campaign uncovered by Kaspersky.
Adapted attacks by steganography on industrial sector
The attackers use phishing e-mails with payloads that are individually designed. The phishing emails (messages and documents) are created for each victim in their specific language and with customized documents. And the malware performed its tasks only on systems that conformed to the email's locale. Bleeping Computer points this out in the following tweet.
Highly-targeted attacks on industrial sector hide payload in images – @Ionut_Ilascuhttps://t.co/rY3aOunMdr
— BleepingComputer (@BleepinComputer) May 29, 2020
Steganography is also used to distribute the malware. In the technique known as steganography, attackers upload images to servers of public hosting image services. The image files contain the malware and the attackers hope to be able to deceive or circumvent network traffic scanners and control tools when downloading the files. Here is one such image, which may be linked in a phishing email.
Sample image with payload
The attacks started with a phishing email containing a Microsoft Office document with malicious macro code. The role is to decrypt and execute an initial PowerShell script. Then, several parameters allow the script to run in a hidden window (-WindowStyle Hidden). This works regardless of the configured policy (-ExecutionPolicy Bypass) and without loading the user configuration (-NoProfile).
The purpose of this initial PowerShell script is to download an image from randomly selected addresses on Imgur or Imgbox hosting services and start extracting the payload. Victims have been identified in several countries (Japan, UK, Germany, Italy). Some of them supply equipment and software solutions to industrial companies. Kaspersky describes the details of the attack in this document, while Bleeping Computer refers to this fact in the above tweet and in this article.
Cookies helps to fund this blog: Cookie settings