Threat Research

More Steganography! – SANS Internet Storm Center

iocOne
More Steganography! – SANS Internet Storm Center

A malicious Excel file named blcopy.xls uses steganography to embed and load multiple payloads, including a PowerShell script hidden within a JPEG image. The final payload is a DLL, likely a Katz stealer, delivered through a complex multi-stage infection chain involving HTA, BAT, VBS, and VBA scripts. #blcopy.xls #KatzStealer #steganography #PowerShell #VBA

Keypoints

  • A malicious Excel document (blcopy.xls) contains embedded XLS sheets and uses steganography to hide malicious payloads.
  • The attack chain starts by downloading an HTA file which creates and runs BAT and VBS scripts inside the Windows Temp directory.
  • The VBS script fetches a long VBA script from a Paste.ee URL that dynamically generates and executes a PowerShell script.
  • The PowerShell script downloads a JPEG image containing a hidden Base64-encoded PE file marked by custom delimiters.
  • This hidden payload is decoded into a DLL with SHA256:5a73927d56c0fd4a805489d5817e1aa4fbd491e5a91ed36f4a2babef74158912, identified as a Katz stealer.
  • The infection method leverages the improved macro execution rules in Microsoft Office by embedding multiple script and binary payloads within Office documents.
  • This campaign demonstrates sophisticated multi-stage delivery using common file types and steganography to evade detection.

MITRE Techniques

  • [T1140] Deobfuscate/Decode Files or Information – Use of steganography to hide payload within a JPEG image between the tags “INICIO>>” and “>”. (‘the technique used by the attacker is to add a malicious payload to the picture, delimited by the tags “INICIO>>” and “>”‘)
  • [T1204] User Execution – Malicious Excel document uses embedded macros and downloads HTA, BAT, and VBS scripts for execution. (‘Office documents can execute malicious code’)
  • [T1059] Command and Scripting Interpreter – Execution of BAT, VBS, VBA, and PowerShell scripts is used to download and execute further payloads. (‘This HTA file will generate a BAT file… that will generate and execute a VBS file… The VBA script… generate a PowerShell script and execute it’)
  • [T1105] Ingress Tool Transfer – The VBA and PowerShell scripts download external resources from URLs including paste.ee and a suspicious JPEG file URL. (‘This URL will fetch a long VBA script’; ‘PowerShell downloads hxxps://zynova[.]kesug[.]com/new_image.jpg’)
  • [T1055] Process Injection – The DLL payload is dynamically loaded and executed via reflection in PowerShell. (‘decoded and deobfuscated payload is a DLL that is loaded and executed’)

Indicators of Compromise

  • [File Hash] Malicious Excel file – c92c761a4c5c3f44e914d6654a678953d56d4d3a2329433afe1710b59c9acd3a
  • [File Hash] VBA script downloaded from paste.ee – 352ef6f5c4568d6ed6a018a5128cf538d33ea72bd040f0fd3b9bca6bd6a5dae9
  • [File Hash] Final DLL payload (Katz stealer) – 5a73927d56c0fd4a805489d5817e1aa4fbd491e5a91ed36f4a2babef74158912
  • [URL] HTA payload – hxxp://107[.]172[.]235[.]203/245/wecreatedbestsolutionswithniceworkingskill.hta
  • [URL] VBA script fetch URL – hxxp://paste[.]ee/d/tifhAljb/0
  • [URL] JPEG containing hidden payload – hxxps://zynova[.]kesug[.]com/new_image.jpg

Read more: https://isc.sans.edu/diary/rss/32044