Keypoints
- Researchers attribute more than 320 global attacks to TA558’s SteganoAmor campaign, primarily targeting Latin America but affecting many other countries.
- Initial delivery uses malicious Excel/Word documents (macros/OLE) and RTF exploits (CVE-2017-11882) to start multi-stage chains.
- Steganography is used: scripts download images or text from legitimate hosts, extract embedded Base64 payloads (often reversed), decode them and execute final payloads.
- Final payloads include AgentTesla, Remcos, XWorm, LokiBot, FormBook, Guloader, SnakeKeylogger, and others, often swapped between similar chains.
- The actor abuses compromised legitimate FTP and SMTP servers as C2/exfiltration points and uses legitimate services (paste[.]ee, Google Drive, image hosts) to hide malicious strings.
- Malware performs environment checks (hosting/platform and geo/IP), uses TLS mimicry or FTP/SMTP for C2 and exfiltration, and stores stolen credentials in aggregated logs on public directories.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Uses malicious Office attachments exploiting CVE-2017-11882 to execute payloads (‘RTF documents with an embedded exploit’).
- [T1566.002] Spearphishing Link – Documents contain embedded links/shorteners that redirect to next-stage hosts (‘sends a request to qly[.]ai/08XE5, a shortened link that redirects to …’).
- [T1204] User Execution – Relies on victims opening macro/OLE-enabled Excel/Word files and enabling content (‘Excel downloads with the help of macros a file named “packedtpodododod.exe”‘).
- [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell scripts are used to decode and execute payloads extracted from images (‘The PowerShell command inside the script’ to decrypt payload from the image).
- [T1027] Obfuscation – Employs steganography and multiple encoding layers (reversed Base64) to hide payloads (‘a Base64-encoded next-stage payload hidden inside the downloaded image’ and ‘reversed Base64-encoded file’).
- [T1068] Exploitation for Privilege Escalation – Uses document exploits (CVE-2017-11882) to run code on the victim host (‘This variant contains CVE-2017-11882 and downloads the following file in the chain’).
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Malware like AgentTesla configures persistence to run at startup (described persistence behavior for AgentTesla).
- [T1071.001] Application Layer Protocol: Web Protocols – C2 and payload fetches use HTTP(S) and legitimate web services for communication (‘AgentTesla uploads data to the C2 via FTP. The C2 itself is a legitimate website that has been compromised’).
- [T1041] Exfiltration Over C2 Channel – Stolen credentials and logs are uploaded to compromised FTP/SMTP servers (‘AgentTesla uploads data to the C2 via FTP’ and ‘forwards the information it stole to the compromised legitimate SMTP server’).
- [T1552.001] Unsecured Credentials: Credentials in Files – Stolen credentials are aggregated into HTML/log files on public directories (‘data stolen with the help of AgentTesla was stored in the form of HTML files …’).
- [T1083] File and Directory Discovery – Malware scans for browser/email/remote access credentials and relevant files for exfiltration (‘AgentTesla steals data from browsers, email clients, remote access services’).
- [T1036.005] Masquerading: Match Legitimate Name or Location – Uses plausible document and file names and legitimate domains to blend in (‘file names like greatloverstory.vbs … associated with love’ and SMTP domains mimicking legitimate names like itresinc.com).
- [T1021.002] Remote Services: SMB/Windows Admin Shares – Uses stolen credentials to move laterally or access remote services (implied by use of stolen remote access credentials and lateral movement capabilities).
Indicators of Compromise
- [IP Address] payload/C2 hosts – 23.95.60.74 (staged RTF/VBS/image host), 94.156.65[.]225 (hosted packedtpodododod.exe), and many others.
- [Domain / Hostnames] staging and C2 – paste[.]ee (hosted obfuscated scripts), uploaddeimagens[.]com[.]br (image hosting used for steganography), mail.itresinc.com (compromised SMTP C2), and sempersim[.]su (LokiBot C2).
- [File Hashes] payload samples – packedtpodododod.exe SHA-256: C42288A5… (downloaded by macro), Cerere de cotatie.xla SHA-256: 64020a7a…, Guloader setup SHA-256: bfd50523e…, and other hashes (and 2 more hashes).
- [File Names] malicious attachments and scripts – greatloverstory.vbs, Cerere de cotatie.xla, NEW ORDER.xls, “loading advice.exe” (AgentTesla), and romamammamamamaa.txt (reversed Base64 payload).
- [URLs / Paths] specific staged payload URLs – 94.156.65[.]225/packedtpodododod.exe, 23[.]95[.]60[.]74/romamammamamamaa.txt, 103.237.87[.]56/setup/bin.exe, and uploaddeimagens[.]com[.]br/images/…/new_image.jpg.
Attack procedure (technical summary): TA558 delivers malicious Office attachments (XLA/XLSX/DOCX) or links in spearphishing emails; macros or OLE lead to shortened URLs that fetch malicious RTF files exploiting CVE-2017-11882. The exploited RTFs fetch obfuscated VBS or PowerShell scripts which then request content from legitimate paste sites and image hosts.
Those scripts extract encoded payloads hidden inside images or text (steganography), perform multiple decoding steps (including reversing strings and Base64 decoding), and write/excute the resulting PE payloads (AgentTesla, Remcos, XWorm, LokiBot, FormBook via Guloader, SnakeKeylogger, etc.). Payloads run environment checks (hosting checks via ip-api, geo/IP lookups) and use TLS mimicry or FTP/SMTP to communicate with C2, exfiltrate stolen browser/email/remote access credentials, and store aggregated logs on compromised public FTP directories.
Infrastructure and evasion: the actor abuses compromised legitimate FTP and SMTP servers for C2 and phishing (separate use per attack), hosts intermediate scripts on paste[.]ee and Google Drive, and hides final payloads via obfuscation and legitimate-service hosting to complicate detection. Defenders should monitor macro-enabled attachments, CVE-2017-11882 exploit attempts, anomalous PowerShell/VBS downloads from paste/image hosts, unusual outbound FTP/SMTP traffic to third-party domains, and public directories for unexpected credential logs.