November 7, 2018 By Douglas Bonderud 2 min read

A new Cutwail spam campaign from a threat group known as NARWHAL SPIDER is using steganography — data concealed within an image — to infect machines with the URLZone malware family.

According to security firm CrowdStrike, the new campaign uses Japanese-language spam to target regional users; URLZone is only downloaded if regional system settings contain the “ja” descriptor.

While NARWHAL SPIDER has a long history of providing Cutwail V2 spam services for WIZARD SPIDER, BAMBOO SPIDER, Nymaim and Gozi ISFB, the new attack includes a rarely seen combination of PowerShell scripts and steganography-concealed downloaders to fool security systems and deliver malicious payloads.

CrowdStrike hasn’t observed final payload installation for this campaign, but similar attacks using URLZone often deploy banking Trojans such as Gozi ISFB. The spam email itself contains basic Japanese text subject lines such as “Order Form” and “Sending Invoice Format,” while the body is either a short thank-you message or left blank. When users download the attached Excel document, open it and enable macros, the infection process begins.

Spam Campaign Hides Malicious Code in Images

The first stage of this spam attack is straightforward: Embedded Visual Basic for Applications (VBA) code runs cmd.exe to download an image file and then execute a PowerShell command. The image seems innocuous enough — a blue-and-black printer producing pages with the green Android logo — but a PowerShell command is hidden inside the blue and green channels of the image.

Phase two of the attack uses Python to extract a PowerShell command from four bits of blue channel and four bits of green channel data. In phase three, the command is copied to the clipboard and executed to begin the download of URLZone.

While steganography-based attacks have been detected in the wild, they’re few and far between; in the case of NARWHAL SPIDER, PowerShell commands and hidden imagery are combined to obfuscate infection vectors and reduce the chance of detection by network security systems. Although the campaign is currently limited to Japan, successful deployment could pave the way for geographic expansion.

How to Protect Against Steganography-Enhanced Spam

Defending against spam attacks — even steganography-enhanced Cutwail campaigns — starts with email security. IBM Security experts recommend a layered approach that includes basic spam detection, external mail scanning, perimeter protection and end-user training to reduce overall risk.

In addition, new techniques such as Decoy File Systems (DcyFS) offer a way to leverage attackers’ penchant for obfuscation against them by creating user-based file views that hide critical data while providing “breadcrumbs” to attract malware interest.

Source: CrowdStrike

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today