In a recent report, Russian cybersecurity company Positive Technologies revealed the activities of threat actor TA558, who has been utilizing steganography as a means to deploy a variety of malware. The campaign, dubbed "SteganoAmor," employs hidden malicious code within images and text files to deliver malware such as Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm.

Positive Technologies stated that TA558 extensively employed steganography techniques by embedding VBSs, PowerShell code, and RTF documents with exploits into images and text files. The group also chose file names like "greatloverstory.vbs" and "easytolove.vbs" to further obfuscate their activities.

Although the majority of the attacks have targeted industrial, services, public, electric power, and construction sectors in Latin American countries, companies in Russia, Romania, and Turkey have also been targeted. The campaign has been particularly active in compromising organizations located in Spain, Mexico, the United States, Colombia, Portugal, Brazil, the Dominican Republic, and Argentina.

The modus operandi of this campaign begins with phishing emails containing a booby-trapped Microsoft Excel attachment. This attachment exploits a now-patched security flaw in Equation Editor (CVE-2017-11882), leading to the download of a Visual Basic Script that fetches the next-stage payload from paste[.]ee. The obfuscated malicious code then downloads two images from an external URL, which contain a Base64-encoded component that ultimately retrieves and executes the Agent Tesla malware.

The TA558 group has been found to deploy not only Agent Tesla but also other malware variants like FormBook, GuLoader, LokiBot, Remcos RAT, Snake Keylogger, and XWorm. These variants provide remote access to compromised systems, facilitate data theft, and deliver secondary payloads.

To add credibility and evade email gateways, the phishing emails are sent from compromised SMTP servers. Additionally, TA558 has been observed using infected FTP servers to store stolen data.

In another development, Positive Technologies discovered a series of phishing attacks targeting government organizations in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. The attacks employed a malware called "LazyStealer," which is designed to harvest credentials from Google Chrome. The activity cluster associated with these attacks is being tracked by Positive Technologies under the name "Lazy Koala."

Furthermore, researchers have noted potential connections between the TA558 group and another hacking group, YoroTrooper (aka SturgeonPhisher), as the victim geography and malware artifacts align.

Vladislav Lunin, a security researcher, remarked that the main tool utilized by the TA558 group is a primitive stealer, which aids in evading detection, hindering analysis, and sending the stolen data to Telegram, a messaging platform popular among malicious actors.

These findings come at a time when social engineering campaigns promoting malware families like FatalRAT and SolarMarker have been on the rise. It highlights the need for heightened vigilance and robust cybersecurity measures to protect against such sophisticated attacks.

While the cybersecurity community continues to track and analyze these activities, organizations are urged to implement strong security measures, including user awareness training, regular software updates, and email gateway solutions, to mitigate the risk posed by these evolving threats.