A new Cutwail spam campaign from a threat group known as NARWHAL SPIDER is using steganography — data concealed within an image — to infect machines with the URLZone malware family.
According to security firm CrowdStrike, the new campaign uses Japanese-language spam to target regional users; URLZone is only downloaded if regional system settings contain the “ja” descriptor.
While NARWHAL SPIDER has a long history of providing Cutwail V2 spam services for WIZARD SPIDER, BAMBOO SPIDER, Nymaim and Gozi ISFB, the new attack includes a rarely seen combination of PowerShell scripts and steganography-concealed downloaders to fool security systems and deliver malicious payloads.
CrowdStrike hasn’t observed final payload installation for this campaign, but similar attacks using URLZone often deploy banking Trojans such as Gozi ISFB. The spam email itself contains basic Japanese text subject lines such as “Order Form” and “Sending Invoice Format,” while the body is either a short thank-you message or left blank. When users download the attached Excel document, open it and enable macros, the infection process begins.
Spam Campaign Hides Malicious Code in Images
The first stage of this spam attack is straightforward: Embedded Visual Basic for Applications (VBA) code runs cmd.exe to download an image file and then execute a PowerShell command. The image seems innocuous enough — a blue-and-black printer producing pages with the green Android logo — but a PowerShell command is hidden inside the blue and green channels of the image.
Phase two of the attack uses Python to extract a PowerShell command from four bits of blue channel and four bits of green channel data. In phase three, the command is copied to the clipboard and executed to begin the download of URLZone.
While steganography-based attacks have been detected in the wild, they’re few and far between; in the case of NARWHAL SPIDER, PowerShell commands and hidden imagery are combined to obfuscate infection vectors and reduce the chance of detection by network security systems. Although the campaign is currently limited to Japan, successful deployment could pave the way for geographic expansion.
How to Protect Against Steganography-Enhanced Spam
Defending against spam attacks — even steganography-enhanced Cutwail campaigns — starts with email security. IBM Security experts recommend a layered approach that includes basic spam detection, external mail scanning, perimeter protection and end-user training to reduce overall risk.
In addition, new techniques such as Decoy File Systems (DcyFS) offer a way to leverage attackers’ penchant for obfuscation against them by creating user-based file views that hide critical data while providing “breadcrumbs” to attract malware interest.