Hackers Hide Malware in Images to Deploy VIP Keylogger and 0bj3ctivity Stealer
VIP Keylogger Malware Campaign
Recent reports from HP Wolf Security highlight a sophisticated malware campaign involving the VIP Keylogger, a comprehensive keylogger and data stealer.
Key Findings:
- Delivery Method: The malware is delivered through phishing emails that masquerade as invoices and purchase orders. These emails contain malicious archive files (such as ZIP and GZ) that include a .NET executable12.
- Execution: When the archive file is opened, it acts as an initial stager, unpacking and executing the VIP Keylogger. The malware creates a registry run key to ensure it starts each time the user logs on12.
- Capabilities: VIP Keylogger can record keystrokes, extract credentials from applications, capture clipboard data, and take screenshots. It shares functional overlaps with other keyloggers like Snake Keylogger and 404 Keylogger2.
- Image-Based Malware: The attackers hide malicious code within images hosted on websites like archive.org. The code is decoded and executed through a PowerShell script, which downloads and runs the .NET executable containing the VIP Keylogger12.
0bj3ctivity Stealer Image Attack
Another campaign involves the 0bj3ctivity Stealer, an information stealer designed to exfiltrate sensitive data.
Key Findings:
- Delivery Method: Similar to the VIP Keylogger campaign, this malware is spread through phishing emails posing as requests for quotations. These emails contain malicious archive files with a JavaScript file that mixes legitimate and malicious code12.
- Execution: The JavaScript file decodes a Base64 encoded PowerShell script, which downloads an image from a web server. The image contains Base64 encoded malicious code that is decoded and executed, leading to the loading of a .NET executable. This executable is the same loader used in the VIP Keylogger campaign12.
- Capabilities: 0bj3ctivity Stealer exfiltrates information such as passwords and credit card details through Telegram, HTTP, or SMTP1.
GenAI in Cybercrime Tactics
The use of Generative Artificial Intelligence (GenAI) is becoming increasingly prevalent in cybercrime tactics.
Key Findings:
- HTML Smuggling: HP Wolf Security reported a campaign using HTML smuggling to deliver the XWorm malware. The HTML files used in this campaign showed hallmarks of being written with the help of GenAI, such as a high volume of comments describing the code and a design identical to outputs from ChatGPT-412.
- Initial Access and Malware Delivery: GenAI is being used in the intermediate stages of the attack chain, focusing on initial access and malware delivery. This allows threat actors to scale their attacks and create more variations, potentially increasing infection rates12.
- Future Implications: While there is currently no evidence of GenAI being used to develop malware payloads in the wild, researchers believe this could occur in the future as GenAI technology improves. This would make attribution by network defenders more difficult and enhance the efficiency of cybercrime operations12.
General Trends and Implications
- Diversification of Tactics: Threat actors are diversifying their tactics to bypass detection, using a variety of vectors and file formats. Over half of the malware delivered to endpoints was via email, although this represented a decline compared to previous quarters. Other methods include malicious web browser downloads and the use of various file formats like executables, archive files, PDFs, and Microsoft Office documents1.
- Commodification of Cybercrime: The availability of malware kits and the ease of use of these tools have made cybercrime more accessible to novices, contributing to the commodification of cybercrime. This trend is expected to continue, with AI-driven tools potentially supercharging cybercrime activities in 202524.
These developments underscore the evolving landscape of cyber threats, where attackers are leveraging advanced technologies like GenAI to enhance their capabilities and evade detection.
