A few days ago I wrote a diary called “Malicious Script Delivering More Maliciousness”[1<\/a>]. In the malware infection chain, there was a JPEG picture that embedded the last payload delimited with “BaseStart-” and “-BaseEnd” tags.<\/p>\n Today, I discovered anoher campaign that relies exactly on the same technique. It started with an attachment called “TELERADIO_IB_OBYEKTLRIN_BURAXILIS_FORMASI.xIs” (SHA256:1bf3ec53ddd7399cdc1faf1f0796c5228adc438b6b7fa2513399cdc0cb865962). The file in itself is not interesting, it contains a good old Equation Editor exploit (%%cve:2017-11882%%). The exploit triggers the download of an HTA payload that executes\u00a0a PowerShell payload and finally a DLL:<\/p>\n When I investigated the different payload, there was pretty simple to deobfuscated, the interesting code was polluted with Unicode characters. First the HTA file was downloaded from:<\/p>\n The interesting code is here and you can easily spot the “powershell” string, no need to use AI for this \ud83d\ude42<\/p>\n The Powershell payload will fetch another file:<\/p>\n Do you make the link with my previous diary? It’s the same picture:<\/p>\n The technique is also exactly the same, the next stage is Base64-encoded and delimited by the same tags:<\/p>\n The extracted payload is a .Net binary (SHA256:adc2f550e7ff2b707a070ffaa50fc367af6a01c037f1f5b347c444cca3c9a650).<\/p>\n The fast that the same picture is re-used looks interesting! I did a quick search on VT and use the feature to search for similarities based on the icon\/thumbnail and found a lot of identical pictures:<\/p>\n 846 similar pictures have been reported but\u00a0only 36 have a VT score above 5. I created a YARA rule to track them, just curious…<\/p>\n [1]\u00a0https:\/\/isc.sans.edu\/diary\/Malicious+Script+Delivering+More+Maliciousness\/32682<\/a><\/p>\n Xavier Mertens (@xme) (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260218-1.png?ssl=1\")
<\/p>\n\nhxxp:\/\/192[.]3[.]101[.]19\/31\/sd878f23823878428348fd8g8g8384838f3453dfg.hta<\/pre>\n
![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260218-2.png?ssl=1\")
<\/p>\n\nhxxps:\/\/172[.]245[.]155[.]116\/img\/optimized_MSI.png<\/pre>\n
![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260218-3.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260218-4.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260218-5.png?ssl=1\")
<\/p>\n
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
\n
<\/BR><\/p>\n