Cybercriminals are deploying novel techniques to bypass email security, including embedding malicious code inside images and using GenAI to deliver malware.
HP Wolf researchers highlighted several novel campaigns utilizing these approaches in the firm’s Q3 2024 Threat Insights Report.
The growing diversification of malware delivery has resulted in 11% of email threats bypassing one or more email gateway scanners, HP Wolf found.
Malware Hidden in Image Files
The researchers highlighted separate social engineering campaigns spreading VIP Keylogger and 0bj3ctivityStealer malware, both of which involved malicious code being embedded in image files.
HP Wolf explained that this tactic helps attackers evade detection as image files appear benign when downloaded from well-known websites. This allows them to bypass network security measures like web proxies that rely on reputation.
VIP Keylogger is a comprehensive keylogger and data stealer, capable of recording keystrokes, extracting credentials from applications, clipboard data and taking screenshots.
In a campaign which spread this malware, threat actors sent emails posing as invoices and purchase orders to victims. These emails contained malicious archive files, such as Z and GZ, which contained a .NET executable.
If opened, the file acts as an initial stager, unpacking and executing VIP Keylogger. For persistence, the malware creates a registry run key to enable it to start each time the user logs on.
0bj3ctivityStealer is an infostealer, designed to exfiltrate information such as passwords and credit card details through Telegram, HTTP or SMTP. The researchers observed a campaign spreading this malware that shared many similarities with the VIP Keylogger activity.
The attackers began by sending malicious archive files to targets by email, posing as requests for quotations. The archives contained a JavaScript file that mixes legitimate and malicious code.
Running the Javascript decodes a Base64 encoded PowerShell script and executes it through an ActiveXObject. This script downloads an image from a web server, which contains Base64 encoded malicious code.
The malware then decodes the text, resulting in a .NET executable, then loads it into PowerShell. The .NET executable is the same as the loader used in the VIP Keylogger campaign.
The similarities between the VIP Keylogger and 0bj3ctivityStealer campaigns suggest that malware kits are being shared across different groups, the researchers added.
Attackers Using GenAI to Assist Malware Delivery
The report also highlighted a HTML smuggling campaign delivering XWorm malware, which the researchers believe utilized files written with the help of GenAI.
HTML smuggling is an approach used by threat actors to deliver malicious content hidden within HTML files.
XWorm is a multi-purpose malware family that in most cases is used as a RAT or information stealer.
The researchers identified two hallmarks suggesting the HTML files had been written with the help of GenAI.
- There was a high volume of comments describing what the code does, which is something that GenAI services like ChatGPT often does
- The design of the HTML webpage delivering XWorm is almost identical as the output from ChatGPT-4o after prompting the LLM to generate an HTML page that offers a file download
If the user opens the HTML file in their web browser the malicious content is decoded and downloaded.
The researchers said that this activity points to the growing use of GenAI in the intermediate stages of the attack chain, focusing on initial access and malware delivery.
This is a development means threat actors can potentially scale their attacks and creating more variations that increase infection rates by using GenAI in this way.
While there is currently no evidence that attackers are using GenAI in the development of malware payloads in the wild, the HP Wolf researchers believe that this could occur in the future as the technology’s capabilities improve.
Attackers Diversifying Tactics to Bypass Detection
The tactics observed in the report demonstrate that threat actors are repurposing and stitching together attack components to improve the efficiency of their campaigns.
This reduces the time and skill needed to create infection chains, enabling attackers to focus on experimenting with techniques to bypass detection, according to the researchers.
A variety of vectors and file formats were observed being used to deliver malware. Over half (52%) of malware delivered to endpoints was via email, although this represented a nine percentage point fall compared to Q2 2024.
Malicious web browser downloads grew by 10 percentage points to 28% in Q3.
Executables were the most popular malware delivery type (40%) in the period, a five-percentage point rise over Q2. This was followed by archive files (34%).
There was notable rise in .lzh files, which made up 11% of archive files analyzed. Most of these malicious .lzh archive files targeted Japanese-speaking users.
PDF files made up 9% of threats analyzed, a two-percentage point rise compared to Q2.
Microsoft Word formats, such as DOC and DOCX, made up 8% of threats in Q3, while malicious spreadsheets, such as XLS and XLSX, totaled 7%.
Dr Ian Pratt, Global Head of Security for Personal Systems at HP, warned: "Cybercriminals are rapidly increasing the variety, volume, and velocity of their attacks. If a malicious Excel document is blocked, an archive file in the next attack may slip through the net.”