19 August 2024
SteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world
Researchers from the Positive Technologies Expert Security Center discovered more than three hundred attacks worldwide, which they confidently attributed to the well-known TA558 group.
As originally described by researchers at ProofPoint, TA558 is a relatively small financially motivated cybercrime group that has attacked hospitality and tourism organizations mainly in Latin America, but has also been identified behind attacks on North America and Western Europe. According to the researchers, the group has been active since at least 2018.
In the attacks that we studied, the group made extensive use of steganography by sending VBSs, PowerShell code, as well as RTF documents with an embedded exploit, inside images and text files. Interestingly, most of the RTF documents and VBSs have names like greatloverstory.vbs, easytolove.vbs, iaminlovewithsomeoneshecuteandtrulyyoungunluckyshenotundersatnd_howmuchiloveherbutitsallgreatwithtrueloveriamgivingyou.doc, and others, associated with love, which is why we dubbed the campaign "SteganoAmor".
Read full report