Steganography, Poweshell, malware, RAT blog

Threat Actor Employs PowerShell-Backed Steganography in Recent Spam Campaigns

Key Takeaways

  • The blog explores a method of infection for distributing different Remote Access Trojan (RAT) malware, which serves as the final payload in the campaign.
  • It provides an overview of how the equation editor vulnerability was utilized to download the initial stage payload (VBS) from the Excel document.
  • It explains the sequence through which a VB script’s execution employs PowerShell content to download a JPG image containing a hidden base64 encoded .NET payload using the steganography technique.
  • Execution of the .NET assembly retrieves the final payload malware RAT through downloading, subsequently injecting, and initiating its malicious operation within the victim’s system.

Executive Summary

Threat Actors (TAs) have adapted their tactics to utilize malicious PowerShell content driven by compelling motives. This approach allows them to operate stealthily, bypass traditional security defenses, and leverage existing tools on compromised systems. PowerShell’s versatility, ease of use, and scripting nature make it an attractive choice for attackers seeking agility and customization. Our recent blogs discussing AgentTesla and the Exploitation of Microsoft CMSTP delve into campaigns incorporating PowerShell scripts within their attack chains.

During CRIL’s recent threat hunting activity using VirusTotal (VT), We encountered a spam campaign that utilized PowerShell-Backed Steganography. Further investigation uncovered a novel method for disseminating various RAT (Remote Access Trojan) malware such as LimeRAT, AgentTesla, and Remcos. This campaign was initially identified by a researcher, Ankit Anubhav.

This strategy involves the initial step of sending a spam email with an attached Excel file. When the Excel document is accessed, it exploits a vulnerability in the equation editor to kickstart the download of a VB script payload. Following execution of this payload, a PowerShell script is triggered. This PowerShell script retrieves a JPG image, within which concealed data is embedded using steganography.

Upon extracting and decoding the hidden content from the JPG image, a .NET assembly is obtained. This assembly is then loaded and invoked with the final payload URL as a parameter. In the end, the RAT malware payload is downloaded and injected into the legitimate process of the victim system, as illustrated in the figure below.

Infection Chain
Figure 1 – Infection chain

Initial Infection

The initial infection begins with the spam email that contains an Excel attachment bearing the following file names such as:

• entregar_confirmacion_de_direccion.xlsx
• Swift ACC Reference A2300078.xls
• CN_86607433K.xlam
• Vertex_PO3760987.xls
• New Order Green Valley .xlam

The figure below shows some of the spam emails we have observed in the wild used in the malware campaign.

Spam, Phishing, Steganography
Figure 2 – Spam email
Spam, email. phishing
Figure 3 –Spam email
Spam, Phishing, email, Steganography
Figure 4 – Spam email


Technical Analysis

The emails come with an Excel file attached (formats such as .xls, .xlsx, .xla, .xlam) containing embedded content. Once the document is opened, users must enable editing to access the content, as shown below.

Excel, attachment, Malicious, malware, phisihing
Figure 5 – Malicious Excel attachment
Excel, malware, attachment
Figure 6 – Malicious Excel attachment


CVE-2017-11882: Equation Editor Exploitation

When the Excel file is opened as a zip archive, it shows numerous files and folders. Among these, the XML file “sheet1.xml.rels” located in the “xl\worksheets\rels” directory contains the path to the specific embedded document named “aU2WuhBz0.j32a9” within the Excel file.

The “aU2WuhBz0.j32a9” document exploits the Equation Editor Vulnerability (CVE-2017-11882) to initiate the download of the subsequent payload in the attack chain, as shown in the figure below.

Embed, Excel, document
Figure 7 – Embedded Doc file inside Excel document

When the option “Enable editing” is clicked, the process involves parsing the XML data from “sheet1.xml.rels.” This step is taken to retrieve the path of the embedded Ole Object data, which is subsequently executed. This execution employs the vulnerable “EQNEDT32.EXE” to trigger the execution of malicious shellcode. This shellcode is utilized to download a VB script file from the following URL:

  • hxxp://195[.]178[.]120[.]24/uchetuesdayyyyy[.]vbs

Below are the similar URLs used for downloading the VB Script file in the campaign.

  • hxxp://195[.]178[.]120[.]24/whorefileOnline[.]vbs
  • hxxp://195[.]178[.]120[.]24/investord2[.]0[.]vbs
  • hxxp://192[.]210[.]175[.]4/780/hkcmd[.]vbs
  • hxxp://104[.]168[.]46[.]25/0800/internet[.]vbs
  • hxxp://195[.]178[.]120[.]24/investor2[.]0[.]vbs
  • hxxp://192[.]210[.]175[.]4/receipt_232/1/receipt[.]vbs
  • hxxp://192[.]210[.]175[.]4/lime/Lime[.]vbs
  • hxxp://192[.]3[.]64[.]143/400/ChromeSetup[.]vbs
  • hxxp://23[.]94[.]239[.]89/2301/chromium[.]vbs
  • hxxp://195[.]178[.]120[.]24/investorrrrVbs2[.]0[.]vbs

In the figure provided below, the payload URL that has been extracted is displayed along with the API function utilized for payload download. The data extraction process is facilitated using the tool “scdbg.”

Payload, Malware, Steganography
Figure 8 – Payload URL extracted from Doc file

The downloaded VBS file is saved in the root of the %appdata% folder and is named “uchewed.vbs”. The path for this file is as follows:

  • C:\Users\<Admin>\AppData\Roaming\uchewed.vbs

Steganography Technique

The VBS file that was dropped in the %appdata% is heavily obfuscated. When executed, it undergoes a process of de-obfuscation in memory, running the enclosed PowerShell code within the VBS. Subsequently, the PowerShell code within the VBS retrieves yet another set of PowerShell content, which remains in memory, as shown in the figure below.

VBS, Steganography, Powershell
Figure 9 – VBS launching PowerShell script

The new PowerShell script now involves downloading a JPG file content from the following URL:

  • hxxp://uploaddeimagens[.]com[.]br/images/004/559/510/original/rump_private[.]jpg ?1690504129

This JPG file content includes Base64 encoded malware data placed between the markers <<BASE64_START>> and <<BASE64_END>>, as shown in the figure below.

Jpeg, Malware, base64, payload
Figure 10 – JPEG image with hidden Base64 payload


Upon successfully obtaining the JPG content, the PowerShell script proceeds to parse the JPEG file and decode the hidden base64 content present within the image between the specified markers.

Subsequently, the PowerShell script loads the decoded binary payload, which is a .NET assembly. The script attempts to get a particular type named “Fiber.Home” within the loaded assembly. Following that, the script aims to fetch a method named “VAI” from the “Fiber.Home” type. Following that, the PowerShell script invokes the “VAI” method with the provided arguments, a URL presented in reverse string format.

The below figure shows the de-obfuscated second-stage PowerShell script present in the memory.

Powershell, JPEG, Payload, Steganography
Figure 11 – PowerShell script downloading JPEG image & final payload

Once the “VAI” method of the “Fiber.Home” type is called with the reversed URL parameter, the method itself reverses the URL and proceeds to download it using the DownloadString() function. The actual URL, which is reversed from the passed parameter of the invoked method, is:

  • hxxp://195[.]178[.]120[.]24/noblefileeeeeeeebase64[.]txt

Listed below are a series of similar URLs that download the final payload binary in the malware campaign.

  • hxxp://192[.]210[.]175[.]4/780/777/conhost[.]txt
  • hxxp://195[.]178[.]120[.]24/apama2base64[.]txt
  • hxxp://23[.]94[.]239[.]89/2301/uac/updation[.]txt
  • hxxp://104[.]168[.]46[.]25/FNF/BINtwo[.]txt
  • hxxp://195[.]178[.]120[.]24/investorbase64[.]txt
  • hxxp://192[.]210[.]175[.]4/lime/IE_Cache[.]txt

The downloaded data is a base64 encoded string in reversed order. Then, the “VAI” method reverses the content received from the final payload URL and decodes it using the Convert.FromBase64String() function.

The image below depicts a code snippet of the “VAI” method within the “Fiber.Home” type of the Fiber DLL .NET assembly.

Extracted DLL, Payload, JPEG, Steganography
Figure 12 – Extracted DLL payload from JPEG image

The base64 content that has been decoded is subsequently injected into “RegAsm.exe” through the utilization of the process hollowing technique, employing APIs as indicated in the figure below.

API, Process Hollowing
Figure 13 – APIs used for Process Hollowing

In the decoded final content from the base64 format, we have identified malware payload binaries that have been injected into “RegAsm.exe.” Specifically, these malware variants are Remcos, AgentTesla, and LimeRAT.

Final Payload


Remcos is a type of RAT; it is a tool for TAs to remotely control compromised systems. This RAT is equipped with a range of capabilities, including remote control over victim computers, data theft, keylogging, screen capturing, file manipulation, and the ability to execute commands. Remcos emerged as a commercially available malware and has been misused by TAs for unauthorized access, data exfiltration, and other malicious activities. Its functions encompass a suite of tactics aimed at stealthy infiltration, evasion of security software, and persistent control over compromised machines.


Agent Tesla functions as a RAT and data theft tool based on .NET. It is commonly employed to secure initial access and is frequently utilized as part of Malware-As-A-Service (MaaS) operations. Its functionality involves surreptitiously recording keystrokes, capturing screenshots, and harvesting sensitive information from compromised systems. Agent Tesla is designed to covertly monitor victim activity, extracting confidential data such as login credentials, personal details, and financial information. The malware’s extensive capabilities make it a preferred tool for TAs engaged in data theft, fraud, and other malicious activities. It can send collected data to its command and control (C&C) server through various channels, including HTTP(S), SMTP, FTP, or even to a designated Telegram channel.


LimeRAT operates RAT with a focus on unauthorized control over compromised systems. This malware exhibits a multifaceted arsenal of malicious actions. It engages in encrypting files, coercing victims to pay ransoms for decryption. Additionally, it delves into cryptocurrency mining, harnessing compromised systems’ resources for its gain. The malware’s insidious reach extends to pilfering sensitive information and credentials, thus compromising data security. Its tactics include logging keystrokes enabling cybercriminals to access confidential data. Furthermore, it propagates itself to other devices, enhancing its sphere of influence. With a penchant for orchestrating distributed denial-of-service (DDoS) attacks, the malware transforms infected devices into a potent botnet.


The utilization of spam emails as a preferred method by TAs stands out due to its widespread impact, cost-effectiveness, and exploitation of human behaviors. The effectiveness of this strategy hinges on social engineering tactics, the ability to remain anonymous, and the global reach for targeting. In the ongoing campaign, TAs have adopted spam emails containing malicious Excel attachments to initiate their operations. The initial VBS payload, executed through these attachments, leverages PowerShell to retrieve a seemingly harmless JPEG image, which, in reality, conceals the subsequent payload. This payload employs steganography techniques to remain hidden. This intricate approach serves to elude detection, minimize suspicion, and establish secure communication with command-and-control servers. Additionally, the final stage involves the deployment of a RAT malware payload, downloadable through the previously established channels. This allows the attackers to gain unauthorized access to the victim’s system, enabling them to engage in a range of malicious activities.

The combination of these techniques underscores the sophistication of modern cyber threats, emphasizing the need for robust cybersecurity measures, user education, and proactive defense strategies to safeguard against evolving attack vectors. CRIL will continue monitoring the new malware strains and phishing campaigns in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.

Our Recommendations

  • The initial compromise takes place through spam emails. As a result, it’s recommended to implement robust email filtering solutions to detect and thwart the distribution of malicious attachments.
  • The campaign capitalizes on an outdated vulnerability (CVE-2017-11882) present in the equation editor. To prevent the risk of infection, it is recommended that users should apply a patch specifically designed to address this vulnerability.
  • As part of this campaign, a reversed HTTP string (//:ptth) is utilized in the PowerShell command to fetch the final payload. Consequently, it’s recommended to block the PowerShell processes when the command line includes the reversed HTTP (//:ptth) string.
Initial Access T1566.001 Spearphishing Attachment
Execution T1203
Exploitation for Client Execution
Windows Management InstrumentationVisual Basic
Privilege Escalation T1055 Process Injection
Defense Evasion T1497
Virtualization/Sandbox Evasion
Obfuscated Files or Information
Disable or Modify Tools
Credential Access T1003
OS Credential Dumping
Input Capture
Discovery T1057
Process Discovery
Query Registry
System Information Discovery
File and Directory DiscoverySecurity Software Discovery
Collection T1005 Data from Local System
C&C T1071
Application Layer Protocol
Encrypted Channel
Ingress Tool Transfer

Indicators of Compromise (IOCs)

Indicators Indicator






Sha256 Spam email












Sha256 Excel attachment











URL URLs to download
VB Script





Sha256 VB Script
hxxp://uploaddeimagens[.]com[.]br/images/004/559/510/original/rump_private[.]jpg ?1690504129
URL URL to download
Sha256 JPEG image
with hidden Base64 encoded data







URL Final payload






Sha256 Decoded
Final payload
Remcos & LimeRAT)



rule mal_PS_downloader



author = “Cyble”

description = “Detects Powershell downloader Files”

date = “2023-08-25”

os = “Windows”

threat_name = “Powershell downloader”

scan_type = “Memory”

severity = 90

reference_sample = “6f8e8ab842590c2c1d7b873ee0cea9940a99de6f9de5b5df7a46fa76c002e396”


$a = “$imageUrl” ascii wide

$b = “.jpg?” ascii wide

$c = “.DownloadData(” ascii wide

$d = “<<BASE64_START>>” ascii wide

$e = “[System.Reflection.Assembly]::Load” ascii wide

$f = “//:ptth” ascii wide


all of them



Scroll to Top