Trojanized images leveraged in separate malware campaigns

Images laced with malicious code uploaded to file-hosting site archive[.]org have been leveraged to facilitate the deployment of the VIP Keylogger and Obj3ctivity Stealer payloads in separate phishing campaigns, according to The Hacker News.

Both campaigns involved the distribution of malicious emails purporting to be invoices, purchase orders, or quotation requests with attachments, which when opened triggers a PowerShell script fetching the trojanized image and executing a .NET-based loader to launch the payloads, with the Snake Keylogger and 404 Keylogger-resembling VIP Keylogger targeting credentials, keystrokes, screenshots, and clipboard content, and the Obj3ctivity infostealer also exfiltrating various device data, a report from HP Wolf Security revealed. Additional findings showed other attack campaigns involving the utilization of generative AI-written HTML pages to deliver the XWorm remote access trojan, as well as the use of fake GitHub repositories for video game cheats to spread the Lumma Stealer. "The campaigns analyzed provide further evidence of the commodification of cybercrime. As malware-by-numbers kits are more freely available, affordable, and easy to use, even novices with limited skills and knowledge can put together an effective infection chain," said HP Security Lab principal threat researcher Alex Holland.