A sneaky new steganography malware is exploiting Microsoft Word - hundreds of firms around the world hit by attack
Cybersecurity researchers from Positive Technologies have identified a new malware campaign, SteganoArmor, which uses steganography to hide malicious payloads within benign-looking files to evade email security solutions. The attackers, known as TA558, have been distributing phishing emails with Microsoft Word and Excel attachments that exploit a seven-year-old vulnerability, CVE-2017-1182. When the victim opens the attachment, a Visual Basic Script (VBS) is downloaded from a legitimate service, which then retrieves a JPG file containing a base-64 encoded payload. This leads to the installation of various malware types, including AgentTesla, FormBook, Remcos, LokiBot, Guloader, Snake Keylogger, and XWorm. Most of these are information stealers, with some being remote access trojans (RATs) and stage-two downloaders. Over 320 attacks have been discovered, primarily targeting organizations in Latin America. Users can defend against this attack by being cautious with emails containing files or links and by updating their Office suite to patch the CVE-2017-1182 vulnerability. TA558 has been active for nearly a decade, focusing on the hospitality and tourism sectors. Cybersecurity experts have uncovered a malware campaign called SteganoArmor that uses steganography to conceal harmful code within seemingly harmless files to avoid detection by email security systems. The campaign exploits an old Microsoft Word vulnerability (CVE-2017-1182) through phishing emails with infected Word and Excel documents. Once opened, these documents trigger the download of various malware variants, mainly targeting Latin American organizations. Users can protect themselves by being cautious with email attachments and updating their Office software to fix the exploited vulnerability. CVEs: CVE-2017-1182 Malware: TA558, RevengeRAT, NjRAT, Vjw0rm, LodaRAT [View Article](https://www.techradar.com/pro/security/a-sneaky-new-steganography-malware-is-hitting-hundreds-of-firms-around-the-world)