Hackers Use Images to Deploy Keyloggers and Stealers

Hackers are increasingly using images to conceal malware, including VIP Keylogger and 0bj3ctivity Stealer, in separate but similar campaigns. According to a report, these attackers hide malicious code in images uploaded to file-hosting platforms and employ a .NET loader to install the malware.

The attack begins with phishing emails disguised as invoices or purchase orders. These emails trick recipients into opening malicious attachments, such as Microsoft Excel files. Once opened, the attachments exploit a known vulnerability (CVE-2017-11882) in Equation Editor to download and execute a VBScript file.

This VBScript decodes and runs a PowerShell script that retrieves an image from the internet. Hidden within the image is Base64-encoded code, which is decoded into a .NET executable. This executable then downloads VIP Keylogger, which allows hackers to collect sensitive data like keystrokes, clipboard content, screenshots, and login credentials.

In a similar campaign, attackers use phishing emails to send archive files containing malicious JavaScript. When opened, the script downloads another image, decodes the hidden code, and deploys the 0bj3ctivity Stealer. These campaigns highlight how malware kits help attackers execute sophisticated operations with minimal effort.

Additionally, attackers have employed HTML smuggling techniques to deliver remote access trojans, such as XWorm, through AutoIt droppers. Evidence suggests some of these files were created using generative AI (GenAI), enabling attackers to scale operations, diversify their tactics, and evade attribution.

Cybercriminals have also exploited platforms like GitHub, creating repositories that advertise video game cheats and modification tools. These tools, however, deliver malware such as Lumma Stealer using .NET droppers.

The rise of accessible and affordable malware kits has made sophisticated cybercrime more achievable, even for inexperienced attackers.

Preventing the Threat

To mitigate these risks, organizations should strengthen email filtering systems, update software to address known vulnerabilities, and educate employees about phishing tactics. Advanced monitoring systems and proactive threat-hunting can help identify unusual activity early. Additionally, organizations should limit access to file-hosting sites that attackers frequently exploit.