November 7, 2018 By Douglas Bonderud 2 min read

A new Cutwail spam campaign from a threat group known as NARWHAL SPIDER is using steganography — data concealed within an image — to infect machines with the URLZone malware family.

According to security firm CrowdStrike, the new campaign uses Japanese-language spam to target regional users; URLZone is only downloaded if regional system settings contain the “ja” descriptor.

While NARWHAL SPIDER has a long history of providing Cutwail V2 spam services for WIZARD SPIDER, BAMBOO SPIDER, Nymaim and Gozi ISFB, the new attack includes a rarely seen combination of PowerShell scripts and steganography-concealed downloaders to fool security systems and deliver malicious payloads.

CrowdStrike hasn’t observed final payload installation for this campaign, but similar attacks using URLZone often deploy banking Trojans such as Gozi ISFB. The spam email itself contains basic Japanese text subject lines such as “Order Form” and “Sending Invoice Format,” while the body is either a short thank-you message or left blank. When users download the attached Excel document, open it and enable macros, the infection process begins.

Spam Campaign Hides Malicious Code in Images

The first stage of this spam attack is straightforward: Embedded Visual Basic for Applications (VBA) code runs cmd.exe to download an image file and then execute a PowerShell command. The image seems innocuous enough — a blue-and-black printer producing pages with the green Android logo — but a PowerShell command is hidden inside the blue and green channels of the image.

Phase two of the attack uses Python to extract a PowerShell command from four bits of blue channel and four bits of green channel data. In phase three, the command is copied to the clipboard and executed to begin the download of URLZone.

While steganography-based attacks have been detected in the wild, they’re few and far between; in the case of NARWHAL SPIDER, PowerShell commands and hidden imagery are combined to obfuscate infection vectors and reduce the chance of detection by network security systems. Although the campaign is currently limited to Japan, successful deployment could pave the way for geographic expansion.

How to Protect Against Steganography-Enhanced Spam

Defending against spam attacks — even steganography-enhanced Cutwail campaigns — starts with email security. IBM Security experts recommend a layered approach that includes basic spam detection, external mail scanning, perimeter protection and end-user training to reduce overall risk.

In addition, new techniques such as Decoy File Systems (DcyFS) offer a way to leverage attackers’ penchant for obfuscation against them by creating user-based file views that hide critical data while providing “breadcrumbs” to attract malware interest.

Source: CrowdStrike

More from

Is AI saving jobs… or taking them?

3 min read - Artificial intelligence (AI) is coming to take your cybersecurity job. Or, AI will save your job.Well, which is it?As with all things security-related, AI-related and employment-related, it's complicated.How AI creates jobsA major reason it's complicated is that AI is helping to increase the demand for cybersecurity professionals in two broad ways. First, malicious actors use AI to get past security defenses and raise the overall risk of data breaches. The bad guys can increasingly use AI-based tools for improved reconnaissance…

CISA warns about credential access in FY23 risk & vulnerability assessment

3 min read - CISA released its Fiscal Year 2023 (FY23) Risk and Vulnerability Assessments (RVA) Analysis, providing a crucial look into the tactics and techniques threat actors employed to compromise critical infrastructure. The report is part of the agency’s ongoing effort to improve national cybersecurity through assessments of vulnerabilities in key sectors. Meanwhile, IBM’s X-Force Threat Intelligence Index 2024 has identified credential access as one of the most significant risks to organizations.Both reports shed light on the persistent and growing threat of credential…

Are we getting better at quantifying risk management?

4 min read - As cyber threats grow more sophisticated and pervasive, the need for effective risk management has never been greater. The challenge lies not only in defining risk mitigation strategy but also in quantifying risk in ways that resonate with business leaders. The ability to translate complex technical risks into understandable and actionable business terms has become a crucial component of securing the necessary resources for cybersecurity programs.What approach do companies use today for cyber risk quantification? And how has cyber risk…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today