SteganoArmor Strikes: How Hidden Malware is Breaching Hundreds of Latin American Orgs

In “SteganoArmor Exposed,” hackers cloak their malware masterpieces in JPGs, duping Latin America with a digital masquerade ball where the invites are phishing emails and the dress code is infostealers in disguise. Stay patched to crash their party.

Hot Take:

Who knew art could be so deceptive? Steganography, the ancient art of hiding messages, has taken a dark turn in the digital age. Hackers, in their relentless pursuit of innovation (and chaos), have started using it to smuggle digital nasties into the systems of unsuspecting victims. Here’s to the mischievous masterminds who think a pretty picture can hide their ugly intentions. Spoiler alert: it’s not as foolproof as they think!

Key Points:

  • Cyber baddies are using steganography to tuck away malware in image files, causing quite a stir in Latin America.
  • The gang behind this, TA558, is sending phishing emails like it’s going out of style, using compromised servers to fly under the radar.
  • The malware menu includes AgentTesla, FormBook, and other digital pickpockets that steal information or take control of devices.
  • Defensive moves are simple: don’t trust sketchy emails and keep your software patched, especially that seven-year-old Office flaw CVE-2017-1182.
  • TA558 isn’t new to the game; they’ve been haunting the hospitality and tourism industries for nearly a decade.
Cve id: CVE-2017-1182
Cve state: PUBLISHED
Cve assigner short name: ibm
Cve date updated: 07/18/2017
Cve description: IBM Tivoli Monitoring Portal v6 could allow a local (network adjacent) attacker to execute arbitrary commands on the system, when default client-server default communications, HTTP, are being used. IBM X-Force ID: 123493.

Cve id: CVE-2017-1182
Cve state: PUBLISHED
Cve assigner short name: ibm
Cve date updated: 07/18/2017
Cve description: IBM Tivoli Monitoring Portal v6 could allow a local (network adjacent) attacker to execute arbitrary commands on the system, when default client-server default communications, HTTP, are being used. IBM X-Force ID: 123493.

Need to know more?

The Art of Hidden Horrors

Picture this: a lovely JPG arrives in your inbox, but lurking within its pixels is a cyber gremlin just waiting to wreak havoc. Researchers at Positive Technologies have dubbed this cyber Van Gogh operation "SteganoArmor," and it's as nefarious as it is clever. Steganography, the trick of smuggling data inside harmless files, is like the Trojan Horse of cybersecurity, only instead of soldiers, it's infostealers and RATs (the software kind, not the four-legged variety).

A Phishy Tale

The tale begins with the classic phishing email, a favorite among cybercrooks. TA558, the group with a taste for digital disruption, has been casting their bait far and wide, hoping to hook some big fish with their Word and Excel files. But these aren't your grandma's attachments; they exploit CVE-2017-1182, a vulnerability older than the last season of "Game of Thrones." Victims who take the bait find themselves downloading a VBS script, which then pulls the malware-stuffed image file from a seemingly innocent paste service. What follows is a smorgasbord of digital deceit, from keyloggers to RATs.

Avoiding the Art Attack

Now, evading this artistic attack is surprisingly straightforward. First, give those incoming emails the side-eye, especially if they're accessorized with files and links. It's a digital red flag. And let's not forget the importance of patching up old wounds like CVE-2017-1182. The patch has been gathering dust for years, but it's still as useful as ever. A little cyber hygiene goes a long way.

The Not-So-New Kid on the Block

Last but not least, let's talk about TA558. This isn't their debut performance; they've been lurking in the cyber shadows for a decade, preying on the hospitality and tourism sectors like a digital Dracula. It's clear they've got a taste for travel, even if it's through the wires and waves of the internet.

As for staying informed, TechRadar Pro is the bearer of all things cybersecurity news, from infostealing malware campaigns targeting Python devs to the best firewalls and endpoint security tools on the market. And let's tip our hats to the messenger, Sead, a journalist from Sarajevo who's been in the IT and cybersecurity storytelling game for over ten years, serving up content writing wisdom along the way.

Tags: CVE-2017-1182 vulnerability, , Latin America cyber attacks, Malware Variants, phishing emails, steganography, TA558 hacker group