TA558 Attacks Surge: 320+ Organizations Targeted

Recently, the cybercriminal group TA558 has significantly increased its malicious activities, attacking organizations worldwide with various types of malware. Security specialists from Positive Technologies have identified over 320 attacks carried out by this group.

TA558 employs complex infection chains that include tools such as AgentTesla, FormBook, Remcos, and others. A hallmark of these hackers’ attacks is the use of steganography—concealing malicious code within images and text files.

The attacks begin with phishing emails containing Microsoft Office documents that exploit the CVE-2017-11882 vulnerability. Although this security flaw was patched in 2017, it remains a popular target for hackers due to the vast number of outdated Microsoft Office installations.

If an outdated version of Microsoft Office is installed on a computer, the exploit downloads a Visual Basic script, which, in turn, retrieves an image embedded with malicious code. Subsequently, using PowerShell, the final malicious payload is extracted and executed from this image.

The phishing email with a malicious attachment

Notably, the documents and scripts used in the attacks often bear titles related to romantic themes, such as “greatloverstory.vbs”, “easytolove.vbs”, and even “iaminlovewithsomeoneshecuteandtrulyyoungunluckyshenotundersatnd_howmuchiloveherbutitsallgreatwithtrueloveriamgivingyou.doc”. Hence, researchers have named the campaign “SteganoAmor”.

For storing malicious files, the perpetrators often utilize legitimate cloud services like Google Drive, which helps them evade detection by antivirus tools. The transfer of stolen information is carried out through compromised legitimate FTP and SMTP servers, making the traffic less suspicious.

Analysis indicates that the primary targets of these cybercriminals have been organizations in Latin America, although attacks have also been recorded in North America and Western Europe. The victims include various economic sectors, encompassing government institutions and private companies.

In one examined case, the criminals sent an email with a malicious attachment disguised as an Excel document. Opening the file unwittingly triggers a macro that downloads and executes the AgentTesla malware. This program is capable of stealing data from browsers, mail clients, and remote access systems.

Given the use of legitimate servers for phishing dissemination and C2 server operations, specialists strongly advise organizations to meticulously scrutinize emails with attachments, even those originating from known or governmental organizations.

The SteganoAmor campaign demonstrates that cyber threats are becoming increasingly sophisticated and difficult to detect. It is crucial to regularly update antivirus software and conduct security audits to timely identify and neutralize potential threats.