A recent survey revealed that the uptick of macro malware in the first half of 2018 was due to Powload malware, which was circulated via spam emails. The researchers from the security firm Trend Micro stated that threat actors are using various techniques such as the information-stealing Emotet, Bebloh, and Ursnif to spread Powload malware.
The research also stated that cybercriminals are using steganography, a unique way to spread Powload malware, to infect the targeted systems. It’s believed that Powload campaign activity was distributing since 2018 through fileless methods, steganography techniques, and hijacking email accounts to deliver the information-stealing malware such as Emotet, Bebloh, and Ursnif.
Steganography is a technique used by attackers to hide malicious code within the image that is mainly employed by exploiting kits to hide their malvertising traffic. The attackers use a publicly available script called Invoke-PSImage that helps to embed malicious scripts in the pixels of a PNG file. Later, the attackers approach the victims via spam email campaigns that contain a document with an embedded malicious macro code.
If the victim clicks the document, the script will execute and downloads the image hosted online that contains the malicious code. Once the user downloads the malware, it connects to the remote server and downloads the malicious code to infect the user’s device and encrypt the files and demand the ransom to provide the file access back. The report also stated that the main motivation of the attackers was to steal the victim’s sensitive information and also to perform other malicious operations.
“In some of the recent Powload-related incidents we saw, we noticed significant changes to some of the attachments in the spam emails: the use of steganography and targeting of specific countries. The samples we analyzed in early 2018 had more straightforward infection chains. These updates added another stage to the execution of malicious routines as a way to evade detection,” the report stated.
The use of steganography technique isn’t new, recently a security researcher Matthew Rowen from Bromium discovered ransomware embedded into a downloadable Super Mario image using steganography method. The attackers send emails with an attached spreadsheet that has an embedded malware and a macro. The attachment prompts the user to click on enable content link in order to deploy the malware.
The researcher stated the malware firstly checks the region to make sure that the device is based out in Italy relying on the administrative language of the operating system. The malware will not deploy if the device is not based in Italy.