Powload campaign activity distributing since 2018 through fileless techniques and hijacking email accounts to deliver the information-stealing malware such as emotet and Ursnif.
But the recent attacks employed the steganography techniques in which attackers turn from the fileless method(straight forward infection chain) that has been changed by adding additional stages to deliver the malware that helps to evade the detection.
Steganography, a method used by attackers to hide the malicious code within the image that is mainly employed by exploit kits to hide the malvertising traffic.
This unique technique used by attackers to drop and execute well-known malware such as Ursnif and Bebloh using steganography within the infection chain process.
Steganography Approach by Powload Malware
In this case, Powload malware abuse a publicly available script called (Invoke-PSImage) that helps to Embed malicious scripts in the pixels of a PNG file.
Later attackers approaching the victims via spam email campaigns that contain a document with embedded malicious macro code.
In this case, attackers using various social engineering technique lures to trick the user to download the attachment and click on it.
Once victims click the document, PowerShell script will be executed and download an image hosted online that contains the malicious code.
According to the Trend Micro research, “The methods for region detection vary from the samples we analyzed. Some use the PowerShell command “Get-Culture” to obtain the computer’s regional settings. Others get the value of the xlCountrySetting property (which returns information about the current regional settings) in Excel to determine the affected machine’s location.”
In this case, the malicious code only executed if the infected machine location xlCountrySetting is equal to 81 (Japan) or 82 (Korea). This can be achieved using a free tool (hxxp://ipinfo.io/country) help to return an IP address’ country.
The main motivation of this campaign to steal the victim’s sensitive information, but the researchers believe that Powload also delivers the payload to perform other malicious operations.