Researchers have discovered an unnamed malware that downloads Cobalt Strike using images from Imgur.
The malware spreads under the guise of obsolete Word documents (.doc) with malicious macros. If the user opens such a file and the macro is triggered, the PowerShell script is downloaded from GitHub.
The malware then uses (at first glance) normal Imgur images to infect the victim’s machine with Cobalt Strike.
One of the first to report the problem was an information security specialist known as Arkbird. He writes that a one-line PowerShell script loads a regular-looking PNG file from Imgur.
“While this image itself may be benign, its pixel values are used by the PowerShell script in calculating the next stage payload”, — said an information security specialist known as Arkbird.
The technique of hiding code, secrets, or malicious payloads in regular files such as images is known as steganography. Tools like Invoke-PSImage make this possible by encoding a PowerShell script in PNG file pixels and generating a one-line command to execute the payload.
Bleeping Computer reports that the payload calculation algorithm runs a foreach loop to iterate over a set of pixel values in a PNG file, and also performs certain arithmetic operations to produce ASCII functional commands.
The data decoded in this way is the Cobalt Strike payload. Let me remind you that this is a legitimate commercial tool, originally created for pentesters and the red team, has long been loved by hackers, from government APT groups to ransomware operators.
“The decoded shellcode contains the string EICAR, which means it is aimed at tricking security mechanisms and SOC commands into mistaking malware for a penetration test performed by experts”, – said Bleeping Computer journalists.
In fact, the payload communicates with the C&C server through the WinINet module for further instructions. Moreover, the domain associated with the control server (Mazzion1234-44451.portmap.host) was registered only on December 20, 2020, but is currently no longer available.
Researcher believes that all this activity is similar to the work of hackers from the MuddyWater group, known for their attacks on businesses in the Middle East.
Let me remind you that I also talked about new PyMICROPSIA malware for Windows that can also be used for attacks on Linux and macOS.