Malware Delivery Evolves with MSI Background JPEG Technique
Threat actors are increasingly using a sophisticated technique involving MSI background JPEGs, delivered via phishing emails and cloud storage, to deploy malware.
A new malware delivery technique is gaining traction among threat actors, leveraging a popular method that embeds malicious payloads within MSI background JPEG files. This evolving attack chain, detailed by the SANS Internet Storm Center, begins with a phishing email that directs recipients to a WeTransfer link. While WeTransfer is often abused in phishing, in this instance, the link led to a legitimate file sharing service.
The initial file shared via WeTransfer is a JavaScript file named "Remittance Advice.js." This script contains a significant amount of junk code designed to obfuscate its true purpose. However, embedded within this obfuscation is the core functionality: it decodes a PowerShell payload using ROT13 and stores it in an environment variable named "INTERNAL_DB_CACHE." The script then uses Windows Management Instrumentation (WMI) to execute this decoded payload in a hidden window, bypassing typical user observation.
The PowerShell payload's primary function is to download the next stage of the attack from a Cloudflare Workers domain. The URL points to a file that appears to be an MSI background image, but is in fact a malicious .NET DLL. This technique of disguising executables as common image files is a common tactic to evade detection. The DLL is a modified version of the open-source Microsoft.Win32.TaskScheduler library, indicating a focus on persistence and system manipulation.
Further analysis reveals that the malicious DLL, once loaded, fetches another file from a Cloudflare R2 storage bucket. This file, named "snake.png," is also presented as a background image. Threat actors frequently use steganography to hide payloads within seemingly innocuous image files, making them difficult to detect with signature-based scanning. This PNG file likely contains a further payload or the final malware component.
The use of Cloudflare Workers and R2 storage highlights a trend where attackers are exploiting legitimate, widely-used cloud services to host their malicious infrastructure. This approach helps them maintain a lower profile, avoid immediate takedown, and leverage the global distribution and reliability of these platforms. The multi-stage nature of this attack, involving JavaScript, PowerShell, a .NET DLL, and potentially steganography within a PNG, demonstrates a growing sophistication in malware delivery.
This technique is an evolution of previously observed methods where payloads were directly embedded in JPEGs. By chaining multiple stages and using legitimate cloud services, attackers aim to increase the chances of initial compromise and subsequent execution, making it harder for security tools and analysts to track and block the entire attack chain. The reliance on WMI for execution and the use of modified legitimate libraries suggest a focus on stealth and advanced evasion tactics.
While specific threat actor attribution is not yet detailed, the methodology points towards actors with a moderate to high level of technical proficiency. The ongoing use and refinement of such techniques underscore the need for robust endpoint detection and response (EDR) solutions, comprehensive security awareness training for users to identify phishing attempts, and continuous monitoring of network traffic for suspicious downloads and process executions.