Cybersecurity researchers have identified a new steganography-based attack that uses fake Windows Update screens to spread malware. This attack employs sophisticated social engineering tactics, instructing users to paste dangerous commands into the Windows Run box or Command Prompt.
Stego Loader Tactics
The attack involves a malicious webpage that uses JavaScript to copy a command to the victim's clipboard. These commands, when executed, download a seemingly harmless PNG image. Hidden within the image's pixel color channels is an encoded and encrypted malware payload.
The .NET Stego Loader then extracts and decrypts the payload in memory. This approach allows the malware to run without creating a typical, detectable file on disk. To further evade detection, the loader executes thousands of empty functions before running the actual payload.
Safety Measures
This attack targets users who unwittingly follow on-screen instructions. Crucial safety tips include:
- Never paste commands from websites or unsolicited prompts.
- Ignore full-screen update or verification pages.
- Keep systems and security software updated.
- Restrict or disable the Run box for vulnerable users.
These measures are vital to protect against this sophisticated social engineering attack.
