New Steganographic Campaign Distributing Multiple Malware Variants
Essential information
- Published
- 17/03/2025 18:17
- Modified
- 18/03/2025 09:58
- Tags
- 2025-03-17 CVE-2017-0199 agenttesla asyncrat dcrat obfuscation phishing process-hollowing remcos remote access trojan steganography vipkeylogger
- Related entities
- 1 vulnerabilities (cve), 13 observables, 8 techniques (mitre), 5 malware
Description
A sophisticated steganographic campaign has been observed distributing multiple stealer malware variants, including Remcos, DcRAT, AgentTesla, and VIPKeyLogger. The infection chain begins with a phishing email containing an Excel file that exploits CVE-2017-0199. This leads to the download of an HTA file, which in turn downloads a VBS script. The script retrieves a JPG file concealing base64-encoded malware. The payload is then injected into legitimate processes using process hollowing techniques. The campaign demonstrates advanced evasion methods and the potential to deploy various remote access trojans, highlighting the need for robust cybersecurity practices.