Hiding in Plain Site: Attackers Sneaking Malware into Images on Websites

PALO ALTO, Calif., January 16, 2025 - HP Inc. (NYSE: HPQ) today issued its latest Threat Insights Report, highlighting how threat actors are using malware kits and generative artificial intelligence (GenAI) to improve the efficiency of their attacks. Such tools are reducing the time and skill needed to create attack components, enabling attackers to focus onexperimenting with techniques to bypass detection and trick victims into infecting their endpoints, such asembedding malicious code inside images.

The report provides an analysis of real-world cyberattacks, helping organizations to keep up with the latest techniques cybercriminals are using to evade detection and breach PCs in the fast-changing cybercrime landscape. Based on data from millions of endpoints running HP Wolf Security¹, notable campaigns identified by HP threat researchers include:

• Malware-by-numbers kits: HP threat researchers observed large campaigns spreading VIP Keylogger and 0bj3ctivityStealer malware that leverage the same techniques and loaders, suggesting the use of malware kits to deliver different payloads. In both campaigns, attackers hid the same malicious code in images on file hosting websites like archive.org, as well as using the same loader to install the final payload. Such techniques help attackers circumvent detection, as image files appear benign when downloaded from well-known websites, bypassing network security like web proxies that rely on reputation.
• GenAI helping to create malicious HTML documents: Researchers also identified an XWorm remote access trojan (RAT) campaign initiated by HTML smuggling, which contained malicious code that downloads and runs the malware. Notably, similar to an AsyncRAT campaign analyzed in the previous quarter, the loader bore hallmarks that indicate that it may have been written with the help of GenAI, for example, including a line-by-line description and the design of the HTML page.
• Gaming cheaters never prosper: Attackers are compromising video game cheat tools and modification repositories hosted on GitHub, adding executable files containing Lumma Stealer malware. This infostealer scrapes victims' passwords, crypto wallets, and browser information. Users frequently deactivate security toolsto download and use cheats, putting them at greater risk of infection without isolation technology in place.

Alex Holland, Principal Threat Researcher in the HP Security Lab, comments:

"The campaigns analyzed provide further evidence of the commodification of cybercrime. As malware-by-numbers kits are more freely available, affordable, and easy to use, even novices with limited skills and knowledge can put together an effective infection chain. Throw GenAI into the mix to write the scripts, and the barriers to entry get even lower. This allows groups to concentrate on tricking their targets and picking the best payload for the job - for instance by targeting gamers with malicious cheat repositories."

By isolating threats that have evaded detection tools on PCs - but still allowing malware to detonate safely - HP Wolf Security has specific insight into the latest techniques used by cybercriminals. To date, HP Wolf Security customers have clicked on over 65 billion email attachments, web pages, and downloaded files with no reported breaches.

The report, which examines data from calendar Q3 2024, details how cybercriminals continue to diversify attack methods to bypass security tools that rely on detection, such as:

• At least 11% of email threats identified by HP Sure Click bypassed one or more email gateway scanners.
• Executables were the most popular malware delivery type (40%), followed by archive files (34%).
• There was a notable rise in .lzh files, which made up 11% of archive files analyzed - with most malicious .lzh archive files targeting Japanese-speaking users.

Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., comments:

"Cybercriminals are rapidly increasing the variety, volume, and velocity of their attacks. If a malicious Excel document is blocked, an archive file in the next attack may slip through the net. Instead of trying to detect rapidly shifting infection methods, organizations should focus on reducing their attack surface. This means isolating and containing risky activities such as opening email attachments, clicking on links, and browser downloads to reduce the chances of a breach."

HP Wolf Security¹ runs risky tasks in isolated, hardware-enforced virtual machines running on the endpoint to protect users, without impacting their productivity. It also captures detailed traces of attempted infections. HP's application isolation technology mitigates threats that can slip past other security tools and provides unique insights into intrusion techniques and threat actor behavior.

About the Data

This data was gathered from consenting HP Wolf Security customers from July-September 2024.

About HP Wolf Security

HP Wolf Security is world class endpoint security. HP's portfolio of hardware-enforced security and endpoint-focused security services are designed to help organizations safeguard PCs, printers, and people from circling cyber predators. HP Wolf Security provides comprehensive endpoint protection and resiliency that starts at the hardware level and extends across software and services. Visit https://hp.com/wolf.

Public link

Please use the above public link if you want to share this noodl on another website.