New Steganographic Malware Hides in JPG Files to Deploy Multiple Password Stealers

A recent cybersecurity threat has emerged in the form of a steganographic campaign that uses seemingly harmless JPG files to distribute multiple types of malware, including password stealers like Remcos and AsyncRAT.

This sophisticated attack begins with a phishing email containing a malicious Excel document that exploits a known vulnerability, CVE-2017-0199, to initiate the infection chain.

Infection Chain and Malware Deployment

The Excel document, upon opening, issues an HTTP request to download a .hta file containing VBScript code.

This script writes a batch file that connects to a paste URL to download another obfuscated VBScript.

The VBScript then downloads a JPG file, which appears harmless but contains a base64 encoded malicious loader.

According to the Seqrite Blog Report, this loader is decoded and executed, leading to the deployment of the final payload.

The JPG file’s use of steganography allows it to conceal the malware effectively, making detection challenging.