November 7, 2018 By Douglas Bonderud 2 min read

A new Cutwail spam campaign from a threat group known as NARWHAL SPIDER is using steganography — data concealed within an image — to infect machines with the URLZone malware family.

According to security firm CrowdStrike, the new campaign uses Japanese-language spam to target regional users; URLZone is only downloaded if regional system settings contain the “ja” descriptor.

While NARWHAL SPIDER has a long history of providing Cutwail V2 spam services for WIZARD SPIDER, BAMBOO SPIDER, Nymaim and Gozi ISFB, the new attack includes a rarely seen combination of PowerShell scripts and steganography-concealed downloaders to fool security systems and deliver malicious payloads.

CrowdStrike hasn’t observed final payload installation for this campaign, but similar attacks using URLZone often deploy banking Trojans such as Gozi ISFB. The spam email itself contains basic Japanese text subject lines such as “Order Form” and “Sending Invoice Format,” while the body is either a short thank-you message or left blank. When users download the attached Excel document, open it and enable macros, the infection process begins.

Spam Campaign Hides Malicious Code in Images

The first stage of this spam attack is straightforward: Embedded Visual Basic for Applications (VBA) code runs cmd.exe to download an image file and then execute a PowerShell command. The image seems innocuous enough — a blue-and-black printer producing pages with the green Android logo — but a PowerShell command is hidden inside the blue and green channels of the image.

Phase two of the attack uses Python to extract a PowerShell command from four bits of blue channel and four bits of green channel data. In phase three, the command is copied to the clipboard and executed to begin the download of URLZone.

While steganography-based attacks have been detected in the wild, they’re few and far between; in the case of NARWHAL SPIDER, PowerShell commands and hidden imagery are combined to obfuscate infection vectors and reduce the chance of detection by network security systems. Although the campaign is currently limited to Japan, successful deployment could pave the way for geographic expansion.

How to Protect Against Steganography-Enhanced Spam

Defending against spam attacks — even steganography-enhanced Cutwail campaigns — starts with email security. IBM Security experts recommend a layered approach that includes basic spam detection, external mail scanning, perimeter protection and end-user training to reduce overall risk.

In addition, new techniques such as Decoy File Systems (DcyFS) offer a way to leverage attackers’ penchant for obfuscation against them by creating user-based file views that hide critical data while providing “breadcrumbs” to attract malware interest.

Source: CrowdStrike

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today