CyberSecurityBoard
Sponsor Register Login

New Stego Campaign Leverages MS Office Vulnerability to Deliver AsyncRAT

Cybersecurity researchers have discovered a sophisticated malware campaign that employs steganography techniques to hide malicious code within seemingly innocent image files. This attack chain leverages an older Microsoft Office vulnerability (CVE-2017-0199) to ultimately deliver AsyncRAT, a remote access trojan capable of providing attackers with complete control over victim systems. Upon execution, the compromised Prnport.vbs file constructs and executes a complex PowerShell script that downloads an image file containing hidden malicious code. The attack begins with phishing emails containing malicious Microsoft Office documents designed to exploit CVE-2017-0199, a vulnerability first reported in April 2017. The extracted code reveals a DLL named “Microsoft.Win32.TaskScheduler” that employs process hollowing techniques to inject the AsyncRAT payload into a legitimate MSBuild process. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The most innovative aspect of this attack involves the steganography technique used to hide the malicious injector DLL within a seemingly harmless image file. This PowerShell script looks innocent at first glance but contains multiple obfuscation techniques designed to evade detection. “This attack demonstrates the continuing evolution of threat actors’ techniques,” noted a Sophos analyst examining the campaign. This open-source remote access tool provides attackers with extensive capabilities including remote desktop access, keylogging, and the ability to deploy additional malware including ransomware. When the victim opens the compromised image, they see only an ordinary photograph, unaware that malicious code is hidden inside. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Sophos researchers identified this campaign as particularly dangerous due to its multi-stage nature and use of steganography to avoid traditional security controls. The PowerShell script extracts this concealed code by locating specific Base64 markers (> and >) within the image’s data.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 24 Apr 2025 15:20:08 +0000


Cyber News related to New Stego Campaign Leverages MS Office Vulnerability to Deliver AsyncRAT

New Stego Campaign Leverages MS Office Vulnerability to Deliver AsyncRAT - Cybersecurity researchers have discovered a sophisticated malware campaign that employs steganography techniques to hide malicious code within seemingly innocent image files. This attack chain leverages an older Microsoft Office vulnerability ...
3 hours ago Cybersecuritynews.com CVE-2017-0199
MirrorFace Hackers Customized AsyncRAT Execution Chain to Run Within Windows Sandbox - The threat actor delivers multiple files to the compromised machine: legitimate 7-Zip executable and library files (7z.exe and 7z.dll), a password-protected archive containing AsyncRAT (disguised as setup.exe), a batch script that unpacks and ...
1 month ago Cybersecuritynews.com
November 2023's Most Wanted Malware: New AsyncRAT Campaign Discovered while FakeUpdates Re-Entered the Top Ten after Brief Hiatus - Researchers reported on a new AsyncRAT campaign where malicious HTML files were being used to spread the stealthy malware. Our latest Global Threat Index for November 2023 saw researchers discover a AsyncRAT campaign where malicious HTML files were ...
1 year ago Blog.checkpoint.com
This Malware is Assaulting Critical US Infrastructure for Almost a Year - Over the course of the last 11 months, a threat group has actively engaged in a phishing campaign targeting employees across various companies, distributing an open-source trojan program named AsyncRAT. The victims of this campaign notably include ...
1 year ago Cysecurity.news
AsyncRAT Loader Delivers Malware via JavaScript - For at least 11 months, this threat actor has been working on delivering the Remote Access Trojan through an initial JavaScript file, embedded in a phishing page. After more than 300 samples and over 100 domains later, the threat actor is persistent ...
1 year ago Cybersecurity-insiders.com
Stealthy AsyncRAT malware attacks targets US infrastructure for 11 months - A campaign delivering the AsyncRAT malware to select targets has been active for at least the past 11 months, using hundreds of unique loader samples and more than 100 domains. AsyncRAT is an open-source remote access tool for Windows, publicly ...
1 year ago Bleepingcomputer.com
CVE-2008-7092 - Multiple cross-site scripting (XSS) vulnerabilities in Unica Affinium Campaign 7.2.1.0.55 allow remote attackers to inject arbitrary web script or HTML via a Javascript event in the (1) url, (2) PageName, and (3) title parameters in a ...
7 years ago
Microsoft Office 2024 now available for Windows and macOS users - As announced earlier in September, starting in Office 2024, Microsoft will also turn off ActiveX controls by default in Word, Excel, PowerPoint, and Visio client apps, a measure likely prompted by ActiveX's well-known security issues. Last month, ...
6 months ago Bleepingcomputer.com
Microsoft: Office 2016 and Office 2019 reach end of support in October - You can also switch to Office 2024, a standalone Office version released in October 2024 for small businesses and consumers without a Microsoft 365 subscription. This version includes locked-in-time versions of Word, Excel, PowerPoint, ...
1 week ago Bleepingcomputer.com
AsyncRAT Malware Attacking the US Infrastructure - AsyncRAT is an open-source remote access Trojan malware known for its ability to provide unauthorized access and control over infected systems. Hackers use it actively for various malicious purposes, including:-. Cybersecurity researchers at AT&T ...
1 year ago Gbhackers.com
'PhantomBlu' Cyberattackers Backdoor Microsoft Office Users via OLE - A malicious email campaign is targeting hundreds of Microsoft Office users in US-based organizations to deliver a remote access trojan that evades detection, partially by showing up as legitimate software. Threat actors previously have used the RAT ...
1 year ago Darkreading.com
Government Quash All Post Office Horizon Convictions - It comes after the government in July 2021 had promised to compensate those postmasters who had their Horizon-related convictions overturned. The Government said this week it has committed to making sure these convictions are overturned by the end of ...
1 year ago Silicon.co.uk
Russian Cyberattackers Launch Multiphase PsyOps Campaign - Russia-linked threat actors employed both PysOps and spear-phishing to target users over several months at the end of 2023 in a multiwave campaign aimed at spreading misinformation in Ukraine and stealing Microsoft 365 credentials across Europe. The ...
1 year ago Darkreading.com
New Malware Attacked 'Desert Dexter' Compromised 900+ Victims Worldwide - Security researchers at Positive Technologies have uncovered a sophisticated malware campaign dubbed “Desert Dexter” that has compromised more than 900 victims worldwide since September 2024. Positive Technologies researchers noted that ...
1 month ago Cybersecuritynews.com
Hackers Deliver AsyncRAT Through Weaponized WSF Script Files - The AsyncRAT malware, which was previously distributed through files with the. Chm extension, is now being disseminated via WSF script format. The WSF file was found to be disseminated in a compressed file format through URLs included in emails. ...
1 year ago Gbhackers.com
Microsoft 365 To Block Downloaded Excel XLL Add-Ins To Boost Security - Microsoft has recently announced that in order to help improve security, Microsoft 365 is now blocking the download of XLL add-ins for Excel on both Window PCs and Apple Macs. This new feature will be put into effect early 2021, affecting both Office ...
2 years ago Bleepingcomputer.com
Global malspam targets hotels, spreading Redline and Vidar stealers - The latest global malspam campaign targets the hotel industry, emphasizing the need to stay alert against such attacks at all times. Cybersecurity researchers at Sophos X-Ops have issued a warning to the hospitality industry about a sophisticated ...
1 year ago Hackread.com
Microsoft: New Windows scheduled task will launch Office apps faster - "We are introducing a new Startup Boost task from the Microsoft Office installer to optimize performance and load-time of experiences within Office applications," Microsoft says on the Microsoft 365 message center. However, Microsoft says this ...
4 weeks ago Bleepingcomputer.com
New Web injections campaign steals banking data from 50,000 people - A new malware campaign that emerged in March 2023 used JavaScript web injections to try to steal the banking data of over 50,000 users of 40 banks in North America, South America, Europe, and Japan. IBM's security team discovered this evasive threat ...
1 year ago Bleepingcomputer.com
Hackers Increasingly Use Microsoft OneNote to Deliver Malware - OneNote documents are increasingly being used by threat actors to send malware to unsuspecting end users via email, according to Proofpoint researchers. It infects victims with remote access malware that can be used to install additional malware, ...
2 years ago Cybersecuritynews.com
Microsoft launches ad-supported Office apps for Windows users - Microsoft has released ad-supported versions of its Office desktop apps, which have limited features but allow Windows users to edit their documents for free. While Microsoft allows customers to use Word, Excel, PowerPoint, and other Microsoft ...
1 month ago Bleepingcomputer.com
Cybercriminals expand targeting of Iranian bank customers with known mobile malware - Researchers have uncovered more than 200 fake mobile apps that mimic major Iranian banks to steal information from their customers. The campaign was first discovered in July of this year, but since then, the cybercriminals have expanded their ...
1 year ago Therecord.media
Checking Microsoft Office for Outdated Versions While Maintaining Privacy - Microsoft has released an update, KB5021751, which is designed to identify the number of customers running Office versions that are outdated or close to their end of support. This update is only installed on systems where Office 2013, Office 2010, or ...
2 years ago Bleepingcomputer.com
2024 Tech Predictions: Hybrid Collaboration is Here to Stay - Reflections from the Consumer Electronics Show and predictions for the year in tech. From home, the office and everywhere in between, we use Cisco collaboration solutions to solve hybrid work's greatest challenges, while inspiring innovation, ...
1 year ago Feedpress.me
Neurosurgeons of New Jersey Confirms Cyber Attack Resulting in Recent Data Breach - On December 4, 2023, Neurosurgical Associates of New Jersey filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights after discovering. In this notice, Neurosurgeons of New Jersey explains that an ...
1 year ago Jdsupra.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)