TA558 Hackers Weaponize Images for Wide-Scale Malware Attacks

Apr 16, 2024NewsroomTight Intelligence / Endpoint Security

Malware Attacks

The threat actor is tracked as TA558 observed the use of steganography as an obfuscation technique to deliver a wide variety of malware such as Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm, among others.

“The group made extensive use of steganography by sending VBS, PowerShell code, as well as RTF documents with embedded exploits, within images and text files,” the Russian cybersecurity company said. which is Positive Technologies. SAYS in a report on Monday.

The campaign was codenamed SteganoAmor due to its reliance on steganography and choice of file names such as greatloverstory.vbs and easytolove.vbs.

The majority of attacks targeted the industrial, service, public, electricity, and construction sectors of Latin American countries, although companies located in Russia, Romania, and Turkey were also targeted.


The development comes as TA558 has also been spotted deploying the Venom RAT through phishing attacks targeting businesses located in Spain, Mexico, the United States, Colombia, Portugal, Brazil, the Dominican Republic , and Argentina.

It all started with a phishing email containing a trapped email Microsoft Excel attachment that exploited a now-patched security flaw in the Equation Editor (CVE-2017-11882) to download a Visual Basic Script that, in turn, captures the next stage. payload from paste(.)ee.

The hidden malicious code takes care of downloading two images from an external URL embedded in a Base64-encoded component that ultimately extracts and executes the Agent Tesla malware on compromised host.

Malware Attacks

Beyond Agent Tesla, other variants of the attack chain led to various malware such as FormBook, GuLoader, LokiBot, Remcos RAT, Snake Keylogger, and XWorm, designed for remote access, data theft, and delivering secondary payloads.

Phishing emails are sent from legitimate-but-compromised SMTP servers to lend the messages a bit of credibility and reduce the chance of them being blocked by email gateways. Additionally, TA558 was found to be using infected FTP servers to conduct the stolen data.

The disclosure comes against the backdrop of a series of phishing attacks targeting government organizations in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia with malware called LazyStealer to harvest credentials from in Google Chrome.


Positive Technologies tracked the cluster of activity under the name Lazy Koala in reference to the username (joekoala), which it said controlled Telegram bots that received the stolen data.

As such, the victim’s geography and malware artifacts indicate potential links to another hacking group tracked by Cisco Talos under the name YoroTrooper (aka SturgeonPhisher).

“The main tool of the group is a primitive stealer, whose protection helps to avoid detection, slow down the analysis, grab all the stolen data, and send it to Telegram, which has become popular among malicious people actor of the year,” security researcher Vladislav Lunin. SAYS.

The findings also follow a wave of social engineering campaigns designed to spread malware families such as FatalRAT and SolarMarker.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment