• Another day, another malicious JPEG In his last two diaries, Xavier discussed recent malware campaigns that download JPEG files with embedded malicious payload[1,2]. • At that point in time, I’ve not come across the malicious “MSI image” myself, but while I was going over malware samples that were caught by one of my customer’s e-mail proxies during last week, I found another campaign in which the same technique was used. • Xavier already discussed how the final portion of a payload that was embedded in the JPEG was employed, but since the campaign he came across used a batch downloader as the first stage, and the one I found employed JScript instead, I thought it might be worthwhile to look at the first part of the infection chain in more detail, and discuss few tips and tricks that may ease analysis of malicious scripts along the way. • To that end, we should start with the e-mail to which the JScript file (in a GZIP “envelope”) was attached. • The e-mail had a spoofed sender address to make it look like it came from a legitimate Czech company, and in its body was present a logo of the same organization, so at first glance, it might have looked somewhat trustworthy. • Nevertheless, this would only hold if the message didn’t fail the usual DMARC/SPF checks, which it did, and therefore would probably be quarantined by most e-mail servers, regardless of the malicious attachment.

Article Summaries:

  • A new malware campaign has been identified that delivers malicious JPEG files containing embedded payloads. The attack vector involved a spoofed email from a Czech company, which bypassed DMARC/SPF checks and carried a 1.17 MB JScript file compressed in GZIP. The script was heavily obfuscated, with 17,222 lines reduced to 34 after cleanup. Its first lines copy the script to the startup folder for persistence, while the remaining code constructs a PowerShell command via WMI’s Win32_Process.Create, decoding a Base64‑encoded payload and executing it with Invoke‑Expression. The analysis highlights the use of simple obfuscation and the importance of inspecting the script’s tail for CTI clues.
  • A new malware campaign has been identified that delivers malicious payloads embedded in JPEG files. The attack chain begins with a spoofed email that passes initial checks but fails DMARC/SPF, leading to quarantine by most mail servers. The attachment is a 1.17 MB JScript file heavily obfuscated; after removing duplicate lines, it shrinks to 31 kB. The script copies itself to the startup folder for persistence and then constructs a PowerShell command via WMI’s Win32_Process.Create. The PowerShell payload is Base64‑encoded, decoded, and executed with Invoke‑Expression. An error message in Brazilian Portuguese is included, but the core activity is the hidden PowerShell execution.
  • A new malware campaign was uncovered that delivers malicious JPEG files with embedded payloads. The attackers use a JScript file compressed in a GZIP envelope, spoofing a Czech company’s email address to bypass initial scrutiny. The script, originally 1.17 MB due to heavy obfuscation, reduces to 31 kB after removing repeated lines. It attempts persistence by copying itself to the startup folder and then constructs a PowerShell command via WMI to execute a Base64‑encoded payload. The final execution step decodes the payload and runs it with Invoke‑Expression. The campaign demonstrates advanced obfuscation and persistence techniques aimed at evading email security checks.
  • Another day, another malicious JPEG In his last two diaries, Xavier discussed recent malware campaigns that download JPEG files with embedded malicious payload[1,2]. At that point in time, I’ve not come across the malicious “MSI image” myself, but while I was going over malware samples that were caught by one of my customer’s e-mail proxies during last week, I found another campaign in which the same technique was used. Xavier already discussed how the final portion of a payload that was embedded in the JPEG was employed, but since the campaign he came across used a batch downloader as the fir

Sources: