SteganoAmor campaign: TA558 mass-attacking companies and public
institutions all around the world
By Positive Technologies
Published: 2024-08-19 · Archived: 2026-04-05 18:26:21 UTC
Researchers from the Positive Technologies Expert Security Center discovered more than three hundred attacks worldwide,
which they confidently attributed to the well-known TA558 group.
As originally described by researchers at ProofPoint, TA558 is a relatively small financially motivated cybercrime group
that has attacked hospitality and tourism organizations mainly in Latin America, but has also been identified behind attacks
on North America and Western Europe. According to the researchers, the group has been active since at least 2018.
In the attacks that we studied, the group made extensive use of steganography by sending VBSs, PowerShell code, as well
as RTF documents with an embedded exploit, inside images and text files. Interestingly, most of the RTF documents and
VBSs have names like greatloverstory.vbs, easytolove.vbs,
iaminlovewithsomeoneshecuteandtrulyyoungunluckyshenotundersatnd_howmuchiloveherbutitsallgreatwithtrueloveriamgivingyou.doc,
and others, associated with love, which is why we dubbed the campaign "SteganoAmor".
Victims
In the course of our research, we discovered numerous samples that targeted various economic sectors and countries. Most
of the email messages we came across had been sent to Latin America, but a considerable percentage were addressed
to companies in Russia, Romania, Turkey, and some other countries.
Some of the victims that we saw had legitimate FTP and SMTP servers, which the threat actor infected and utilized
as C2 servers. They also used the infected SMTP servers to send phishing email.
As our research effort continued, we found servers with public directories in which the group placed files to be used in its
attacks.
Figure 1. An example of a public directory
We also found malware logs containing stolen data on the servers with public directories. Thus, data stolen with the help
of AgentTesla was stored in the form of HTML files whose names conformed to the following template:
PW_*PC_name*_*date of exfiltration*_*time of exfiltration*.html
The files contained aggregated credentials for every known browser, email (for example, Outlook and Thunderbird) account
credentials, and remote access (VPN or RDP) credentials.
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 1 of 25

Figure 2. A log example
The logs included data from regular users, public institutions, and various businesses.
We discovered a total of more than 320 attacks targeting the following countries and sectors:
45
38
26 25 24
15
13 13 12 12 11
9
8 8 8
7 7 6 6 6
4 4
2 2 2 2
1 1 1 1 1
Me…
Colombia
Chili
Argentina
Romania
Turkey
Brazil
Peru
Russia
Ecuador
Uruguay
Czech Republic
India
Poland
Dominican Republic
Spain
Germany
Pakistan
United States
Costa Rica
Guatemala
Indonesia
Slovenia
South Korea
Bulgaria
Thailand
Sebia
Lebanon
Macedonia
Algeria
Morocco © Positive Technologies
Figure 3. Distribution of attacks by country
In the course of our research, we discovered attacks on specific companies. The number of attacks on specific targets differs
significantly from the total number of discovered attacks, as we could not always find out who the victim was.
22%
16%
8% 16%
8%
5%
5%
5%
5%
3%
3%
3%
Industrial sector Service sector Public sector Electric power industry Construction
Transportation companies Sports Information technology Education Religious organizations Finance
Pharmaceutical industry
© Positive Technologies
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 2 of 25

Figure 4. Distribution of attacks by sectors
The research begins
While monitoring threats, members of the ESC team discovered a file named "factura 00005111, 005114, 005115.pdf.xlam"
SHA-256: 69ffd7a475c64517c9c1c0282fd90c47597e3d4650320158cfb8c189d591db8c. Linked files led them to an email
message. The file name "banned-20240117T134543-25672-12″ suggested that the message had reached the recipient but
was blocked by security systems. It was ostensibly sent to a Romanian company from another Romanian company:
Figure 5. The phishing email with a malicious attachment
The sender's IP address, 46.27.49.180, was replaced with another. Our data indicated that the group had sent 22 other
messages from that IP address to various organizations starting on June 15, 2023.
When the message is opened, Excel downloads with the help of macros a file named "packedtpodododod.exe" (SHA-256:C42288A5946D2C3EB35E7485DD85936C1FABF49E46B12449C9136FF974A12F91) from the following URL:
94.156.65[.]225/packedtpodododod.exe
An RTF file could be downloaded from the same IP address via the following URL:
94.156.65[.]225/microsoftdecidedtodesignnewproducttoupdateandupgradenewprojectthingsonthepcandsystem.doc
This variant contains CVE-2017-11882 and downloads the following file in the chain from the URL:
94.156.65[.]225/herewegoxla.exe.
Once downloaded, the file runs. The final payload is AgentTesla hiding behind an Excel icon, which uploads data to the
C2 via FTP. The C2 itself is a legitimate website that has been compromised.
Other infection chains
Thanks to internal systems, we discovered dozens of different files linked to the FTP server, which was used as a C2 for
AgentTesla. Most of the files linked to the FTP server were used in malicious files that bore Spanish, Portuguese, and
Romanian names.
We also used our systems to successfully discover hundreds of different files and dozens of malicious IP addresses used
by the group in the campaign at hand. Some of the files were documents with various name extensions and targeting
different countries, but sharing one infrastructure and similarities between the attack chains. The files had different names
in English, Bulgarian, Croatian, Turkish, Russian, Chinese, and other languages.
Below, you will find examples of chains containing malware that belongs to a variety of families: AgentTesla, Remcos,
XWorm, LokiBot, Guloader, Formbook, SnakeKeylogger. We would like to emphasize that one type of malware may
be involved in several different chains. A complete list of indicators of compromise is available under IOCs below.
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 3 of 25

1.1 AgentTesla attack: the main scenario involving an Excel document and steganography
The main scenario we saw in this campaign and which gave it its name is an attack chain that involves steganography.
A case in point is a file named "Cerere de cotatie.xla" (SHA-256:
64020a7a3f5f6c589272f28d727318eb5eb4eb4d41510679cb8134c0325c8fe2) It kicks off the chain. When opened,
it exploits CVE-2017-11882, sending a request to the URL:
qly[.]ai/08XE5, a shortened link that redirects to
23.95.60.74/weareinlovewithmygirlfriendunderstandhowitistoget___youareverybeautifilformeiloveusoomuchalwaysloveutrulyfromtheheartlove.do
Figure 6. Request for the next stage (after opening the document)
The file received with the server response (SHA-256:
2c58ca41949aa784dce6a2006162781fe7a7a5453cafb731ee4d512efe718c43) is an RTF document.
Figure 7. Receiving an RTF document
When opened, it runs and downloads a VBS script from that same IP address:
23[.]95[.]60[.]74/roammamamamam.vbs
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 4 of 25

Figure 8. Request for an RTF document to obtain VBS
The VBS script sends a request to paste[.]ee to fetch the next payload:
paste[.]ee/d/FZTcX
Figure 9. Malicious code in the legitimate paste[.]ee service
It then proceeds to downloading and decoding an encoded malicious string (steganography) embedded in an image from the
following URLs:
uploaddeimagens[.]com[.]br/images/004/753/714/original/new_image.jpg?1709908350
uploaddeimagens[.]com[.]br/images/004/753/713/original/new_image.jpg?1709908316
The images are the same:
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 5 of 25

Figure 10. An image downloaded from the legitimate service
new_image.jpg (SHA-256: 1435aef381b7e31245e2ca66818209a7f8d54daef4d0db25ef78b3a9fec3242b)
A Base64-encoded next-stage payload hidden inside the downloaded image:
Figure 11. The Base64-encoded payload
The PowerShell command inside the script:
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 6 of 25

Figure 12. The PowerShell code inside the script
The script then decrypts the payload from the image and downloads a further payload from the same URL, written in reverse
string format. Its content is notably a Base64-encoded executable, also reversed:
23[.]95[.]60[.]74/romamammamamamaa.txt
Figure 13. Payload with reversed Base64 code
Next, AgentTesla runs. The malware runs a check as a bypass element to make sure that it is not running on a hosting
platform, and the victim's IP address is real.
ip-api[.]com/line/?fields=hosting
AgentTesla steals data from browsers, email clients, remote access services, and connects via FTP to a C2 to upload it.
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 7 of 25

Figure 14. Communication with the C2 server
Figure 15. Exfiltration
1.2 AgentTesla attack: an alternate scenario involving a Microsoft Word document
This is a late-2023 example that we do not see the malicious actor use as much any more, but still find samples of:
"Lista de productos 2.docx" (SHA-256: 54376ee15cca7c6cdecc27b701b85bdd2aa618fe8158a453d65030425154299a)
Figure 16. The malicious document with OLE
When run, it sends a request to shlx.us/eO, which redirects to the following URL:
23.95.122[.]104/htm/1/HTMLbrowserIEchromeHistoryCleaner.doc
Figure 17. The next-stage request after opening the document
The downloaded document (SHA-256: 6cab2705e5bfe56db1e9a74c8af9dca162de7631dd8dc074685dcb9c1dc7c5a2)
is a malicious RTF document containing an exploit:
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 8 of 25

Figure 18. Getting the RTF document
The RTF document then downloads "IGCC.exe", which is AgentTesla.
Figure 19. The RTF document fetches the AgentTesla payload
As a result, AgentTesla starts communication via FTP with the C2 and proceeds to exfiltrate data:
Figure 20. Exfiltrating the victim's data
1.3 Remcos attack
Remcos, or Remote Control and Surveillance, originally legitimate software, is currently employed by many threat actors
as a RAT (Remote Access Trojan) to access a victim's computer.
In the course of our research, we found multiple Remcos samples used in attacks by the group.
One of these files is named "ORDER_SPECIFICATIONS_OFFER.xla" (SHA-256:
93946883de3d4074ac4baed60abcc3f2d0c57c8ef6e41ceaedbc5ca0de55dc30):
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 9 of 25

Figure 21. A malicious Excel document with OLE
When the file is opened, the macro inside the Excel file reaches out to the first C2 at the shortened URL qly[.]ai/p5Zpt for
additional data:
Figure 22. The request to qly[.]ai/p5Zpt
The URL redirects the request to an RTF document containing an exploit:
147.185.243[.]107/45700/macc/shelovemywifemorethankanyonebutsametimeiloveagirlwholovingmealot_____sheisreallymyloverwhocarewholove
с cve-2017-11882
Figure 23. The request after the redirect
This is followed by a request to the next URL, which responds with an obfuscated VBS script, rather than an image:
147.185.243[.]107/45700/beautifulglobe.jpg,
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 10 of 25

Figure 24. The VBS script
This script contains the embedded address of the next C2 in the chain, which hosts another obfuscated script:
paste[.]ee/d/NYO9X
Figure 25. The VBS script in the legitimate paste.ee service
We found deobfuscation of this script to be more interesting than the first one, as it contained more encoding iterations. The
result was a piece of code inside, containing a reversed string for the following C2:
147.185.243[.]107/45700/MACC.txt:
Figure 26. The deobfuscation process
Once inside the TXT file, we found the final link in the chain: a reversed Base64-encoded piece of code:
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 11 of 25

Figure 27. The MACC.txt code
The chain results in infection with the Remcos RAT (SHA-256:
bd296301230adac77b09dc91d06ec26adbc49d015ea7d1b4f68b6805c2b5ee55).
Before talking to the remote server, Remcos calls geoplugin[.]net/json.gp to check the IP address, and then contacts the
C2 using TLS mimicry to hide the traffic:
Figure 28. The conversation between Remcos and the C2 server
1.4 XWorm attack
XWorm is among the most popular RATs, used by many threat actors including TA 558.
Similarly to the previous case, one of these chains begins with an Excel file containing an embedded link, which redirects
requests to another server to download an RTF document with an exploit inside. In this case, we saw the files
7b768394fa0869d92f872eb486f49fabd6469ef3a8fd8bdf9cb49d35b39ea73b and
94bcfc033fd6e445163116ebf73877ef71e22192bef829822314042b31a7281f, which, when run, redirected to a URL to fetch
the next stage:
107.175.31[.]187/7508/iconimages.jpg
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 12 of 25

Figure 29. The RTF request for a VBS script
The script contains an embedded URL:
paste[.]ee/d/G5J31
Its content is an obfuscated VBS script containing two links to images with additional payloads:
uploaddeimagens[.]com [.]br/images/004/755/997/original/new_image_r.jpg?1710413993
uploaddeimagens[.]com [.]br/images/004/755/997/original/new_image_r.jpg?1710413993
Figure 30. The request to fetch the images
As with the main case described above, the strings from the images are decoded, and a payload is assembled, which then
downloads a TXT file with a reversed Base64-encoded file, which is the final payload: XWorm.
107.175.31[.]187/7508/xwo.txt
Figure 31. The payload with the reversed Base64-encoded file
Once running, XWorm starts talking to the C2:
147.124.212[.]213:6161
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 13 of 25

Figure 32. XWorm talking to the C2 server
1.5 LokiBot attack
LokiBot is a stealer that collects data from various applications used by the victim, such as browsers, email and FTP clients,
and so on. One of these files was received from:
23.94.239[.]119/_—00_o______---0o0_00_0oo_0-o_o0-__________o0o-
__________/ozzwerdfdghjfdggsahfhfghf.doc
Figure 33. Downloading an RTF file
As in the other instances, the file is an RTF document that downloads a PE file (SHA-256:
adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430) from the following URL:
23.94.239[.]119/112/vbc.exe
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 14 of 25

Figure 34. Downloading the PE file
The file is LokiBot, which starts communicating with the C2, sending information to the following URL:
sempersim[.]su/ha1/fre.php
Figure 35. Communication between LokiBot and the C2 server
1.6 Guloader/Formbook attack
This example begins with the file named "NEW ORDER.xls" (SHA-256:
3688f05556a136fe094de5cb1888eac2a579525f72cd027e19738582ed40c283).
Figure 36. The contents of "NEW ORDER.xls"
The macro inside the Excel file starts the next chain, similar to what we saw earlier. First, it sends a request to:
2s[.]gg/3zs
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 15 of 25

Figure 37. The request before the redirect
It then redirects to an RTF document with the previously mentioned CVE:
103.237.87[.]56/rew/re/binwecanmaintainthenewthingswithhimbecauseiwasrunningaroundthewroldwithnew____icangofornewthingsfortruestoryul
Figure 38. Downloading the malicious RTF file
Guloader, to be used as the loader for fetching the next piece of malware, is then downloaded from the following IP address:
103.237.87[.]56/setup/bin.exe
Figure 39. Downloading Guloader
The Guloader file (SHA-256: bfd50523e4cabf7fe9e6f0afc926b9269708ac80af43a943ebcbc909a9ae0695)accesses a Google
Drive to get the malware payload, FormBook:
drive.google[.]com/uc?export=download&id=1QJZpYWwA5nTHlXAY5PxXqGvqEBOtjtOi ->
drive.usercontent.google[.]com/download?id=1QJZpYWwA5nTHlXAY5PxXqGvqEBOtjtOi&export=download
Once running, FormBook (SHA-256: e1259d936c3993e5d8671b8b5e2362eb974984d046871296c50cf51ee1a96e4b) starts
talking to the C2:
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 16 of 25

thechurchinkaty[.]com/nrup/?
vLwt1tg=a+HLDFsiIkHuV4rn/wjkuvItWj7ch7WMO9xbFOtVeNEzn7JMPDdWHI+pluLOfQ5QTDqWxNNxIGS7LM9UJKf1d/iZERaTVE3Mnox
Figure 40. The communication between FormBook and the C2 server
1.7 SnakeKeylogger attack
As in most of the cases we have covered so far, the chain begins with an Excel file, such
as "Payment_Draft_confirmation.xla" (SHA-256:
9caeaefa5ecb508895fef48764dc689f49dd8ad9f7e4de9e52202f1c1db101e1).
When the file runs, it sends a request to the following URL:
qly[.]ai/TZWGK
Figure 41. The request
This is followed by a redirect to the following URL to download an RTF document:
207.32.219[.]82/7050/snk/snkisanewthingswhichhelovesornotireallynotknowwhathelookingbutshesloved___alotwiththisnewthingswhathetoldme.d
Figure 42. Downloading the RTF document
The RTF document downloads a VBS script from the following URL:
207.32.219[.]82/7050/imaginepixelimages.jpg
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 17 of 25

Figure 43. Downloading the VBS script
The next stage downloads reversed Base64-encoded strings, which prove to be SnakeKeylogger (SHA-256:
69dffbdcc112b62bfa93e2d6d95de42ef16e01e428b883b9671056ac93bbce8f) when decoded:
207.32.219[.]82/7050/SNK.txt
Figure 44. The payload with the reversed Base64-encoded file
The first thing SnakeKeylogger does upon starting is running a check:
checkip.dyndns[.]org
Figure 45. The checkip.dyndns.org check
It then checks the geographic location according to the IP address:
reallyfreegeoip[.]org
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 18 of 25

Figure 46. The geographic location check
This is followed by a request to get an SMTP server:
scratchdreams[.]tk/_send_.php?TS
Figure 47. The request to get an SMTP server
Finally, SnakeKeylogger forwards the information it stole to the compromised legitimate SMTP server:
Figure 48. Sending data to the compromised legitimate SMTP server
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 19 of 25

1.8 Other attack examples
We saw other attack chains. For example, here's an example of network communication between NjRAT and C2
Figure 49. An example of network communication between NjRAT and C2
But these differed only insignificantly from the ones described above, essentially being the same attacks with different final
payloads.
Thus, as we were examining the threat actor's infrastructure, we noticed that the IP addresses used to host RTF files with
exploits embedded in them and fake JPG files with embedded VBS scripts were also used as the locations for various RATs.
As an example, here is the IP address of the zgRAT C2 server:
94.156.69[.]17
Figure 50. An example of this IP address being involved in the infection chain
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 20 of 25

Figure 51. An example of this IP address being used for the zgRAT C2 server
The group's use of legitimate FTP and SMTP servers
Upon closer inspection, the FTP servers we found turned out to be legitimate services, which the threat actor presumably
had infected to use as C2s for exfiltration of victims' data extracted with the help of the malware described above.
In each case, the legitimate sites belonged to various small companies based in Mexico, Colombia, and Romania.
Here is one such site:
Figure 52. A legitimate site
The organization has an active social media account with several thousand subscribers and a link to a website:
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 21 of 25

Figure 53. The social media account
Figure 54. A legitimate site
As in the previous case, this organization has an active social media account with several thousand subscribers and a link
to a website:
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 22 of 25

Figure 55. The company's Facebook account
When researching the group's attacks on Russian companies, we noticed that, besides FTP servers, it used SMTP
on compromised servers that hosted legitimate European websites:
Figure 56. A legitimate site
The group created some of its SMTP domains to make its activities appear legitimate. Thus, one of the SMTP domains
it used, itresinc.com, is apparently trying hard to look like the legitimate it-resinc.com.
The threat actor used these legitimate and newly created SMTP servers in two ways:
1. To send phishing email
2. As a C2 server for spreading malware
Interestingly, the group never used the same SMTP server as both a phishing server and a C2 in one attack.
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 23 of 25

As an example of an attack, here is an email message sent to an organization in Russia from a compromised legitimate
SMTP server:
Figure 57. The email from the compromised SMTP server
The phishing email came with a ZIP archive attached:
"loading advice.zip" SHA-256: ca383ef7a0031ff933907be8b038ccc62ac556bdc0f077d7f9c3022952e62efa
The archive contained one file that was AgentTesla:
"loading advice.exe" SHA-256: 84b2a0360556088e4aad29627d4ed15d53b18aa72d9d98b4b0d1be27916c681e
Figure 58. The contents of the archive
When the executable runs, it uploads data to an SMTP server that imitates a legitimate one:
mail.itresinc.com
Attribution to known groups
In the course of our research, we found that a part of the campaign had been described by analysts at Cyble.
Cyble describes the same kill chain that we saw, including the use of steganography, as well as the payload, which may
contain various types of malware like AgentTesla, Remcos, and so on.
Researchers at MetabaseQ last October described the same threat actor's activity, attributing it to TA558.
Their report takes note of the kill chain, which also employed steganography. Although the researchers said that the victims,
as with TA558 earlier, were located in Latin America, the United States, Portugal, and Spain, we have found that while
TA558 mainly focuses on Latin America, the number of affected countries is much greater, and TA558 attacks completely
different countries.
Last August, researcher Ankit Anubhav shared on X (formerly Twitter) information about TA558's use of steganography
with a final chain that resulted in infection with Quasar Rat.
Another Microsoft researcher, Igal Lytzki, referred to Ankit Anubhav in his description of a similar attack, where he drew
attention to steganography samples and AgentTesla on an FTP server containing logs of victims' data. Igal said he had
informed the victims accordingly:
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 24 of 25

Fig. 59. Tweet by researcher Igal Lytzki
Conclusion
The TA558 attack chains in the SteganoAmor campaign examined here continue to affect users in Latin America and
elsewhere in the world. The group continues to exploit the fairly old CVE-2017-11882 in its attack chain. It uses
steganography, an obfuscation technique, inside the chains to spread well-known malware used in other attacks in recent
years. The phishing may be harder to detect due to the group's use of compromised legitimate SMTP servers,
so we recommend exercising caution when dealing with email that contains attachments, even if the messages were received
from governmental organizations or small local companies. The use of legitimate SMTP and FTP servers, as well as tools
like Guloader, may complicate detection of the threat actor's presence on the host, so companies are advised to monitor
network traffic more closely and investigate suspicious activity linked to legitimate services.
Source: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-instituti
ons-all-around-the-world/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
Page 25 of 25