• Tracking Malware Campaigns With Reused Material A few days ago I wrote a diary called “Malicious Script Delivering More Maliciousness”[1]. • In the malware infection chain, there was a JPEG picture that embedded the last payload delimited with “BaseStart-” and “-BaseEnd” tags. • Today, I discovered anoher campaign that relies exactly on the same technique. • It started with an attachment called “TELERADIO_IB_OBYEKTLRIN_BURAXILIS_FORMASI.xIs” (SHA256:1bf3ec53ddd7399cdc1faf1f0796c5228adc438b6b7fa2513399cdc0cb865962). • The file in itself is not interesting, it contains a good old Equation Editor exploit (CVE-2017-11882). • The exploit triggers the download of an HTA payload that executes a PowerShell payload and finally a DLL: When I investigated the different payload, there was pretty simple to deobfuscated, the interesting code was polluted with Unicode characters.

Article Summaries:

  • Xavier Mertens reports a new malware campaign that re‑uses the same malicious JPEG technique he described in a February 15 diary entry. An attachment named “TELERADIO_IB_OBYEKTLRIN_BURAXILIS_FORMASI.xIs” (SHA‑256 1bf3ec53…) exploits CVE‑2017‑11882 in Equation Editor to download an HTA file, which in turn launches a PowerShell script that fetches a DLL. The HTA and PowerShell payloads both retrieve the same Base64‑encoded payload embedded in a JPEG image, identified by “BaseStart‑” and “‑BaseEnd” tags. Mertens found 846 similar images on VirusTotal, 36 with scores above 5, and has created a YARA rule to track them.
  • Tracking Malware Campaigns With Reused Material A few days ago I wrote a diary called “Malicious Script Delivering More Maliciousness”[1]. In the malware infection chain, there was a JPEG picture that embedded the last payload delimited with “BaseStart-” and “-BaseEnd” tags. Today, I discovered anoher campaign that relies exactly on the same technique. It started with an attachment called “TELERADIO_IB_OBYEKTLRIN_BURAXILIS_FORMASI.xIs” (SHA256:1bf3ec53ddd7399cdc1faf1f0796c5228adc438b6b7fa2513399cdc0cb865962). The file in itself is not interesting, it contains a good old Equation Editor exploit

Sources: