This malware campaign leverages a multi-stage infection chain beginning with a malicious Office document named "TELERADIO_IB_OBYEKTLRIN_BURAXILIS_FORMASI.xIs" which exploits the well-known Equation Editor vulnerability CVE-2017-11882. This exploit triggers the download of an HTA (HTML Application) file from a suspicious IP address. The HTA file executes a PowerShell script that subsequently downloads a JPEG image from another IP address. This JPEG image is not a typical image but contains an embedded Base64-encoded payload delimited by the tags "BaseStart-" and "-BaseEnd". The embedded payload is a .NET binary that is obfuscated with Unicode characters to hinder analysis. The campaign is notable for reusing the same JPEG image across multiple attacks, enabling tracking of related malware activities through image similarity and YARA rules. The .NET payload likely performs malicious actions once executed, although specific behaviors are not detailed in the source. The infection chain's reliance on an older exploit (CVE-2017-11882) suggests that systems unpatched since 2017 remain vulnerable. The campaign does not currently have known widespread exploitation in the wild but demonstrates a sophisticated approach to payload delivery and evasion. The reuse of the image and the embedding technique indicates an attempt to evade detection and complicate forensic analysis. The campaign was analyzed and reported by the SANS Internet Storm Center, with detailed technical insights and indicators of compromise such as SHA256 hashes for the malicious files.

European organizations face a medium-level risk from this campaign primarily due to the exploitation of a legacy vulnerability that may still exist in unpatched Office environments. Successful exploitation could lead to remote code execution, allowing attackers to deploy further malware, conduct espionage, or establish persistence. The multi-stage nature complicates detection and response, increasing the risk of prolonged undetected compromise. Organizations in sectors with heavy Office document usage, such as government, finance, and healthcare, are particularly at risk. The use of publicly accessible IP addresses for payload hosting means that attackers can dynamically change infrastructure, complicating blocking efforts. The embedding of payloads within images can bypass traditional signature-based detection, increasing the chance of infection. While no known widespread exploitation is reported, the campaign's reuse of payload delivery methods suggests ongoing or evolving threats. The impact on confidentiality, integrity, and availability depends on the final payload's capabilities but could be significant if the .NET binary enables lateral movement or data exfiltration.

1. Ensure all Microsoft Office installations are fully patched, specifically addressing CVE-2017-11882, to eliminate the initial exploit vector. 2. Implement advanced email filtering to block suspicious attachments, especially those with uncommon extensions like .xIs or HTA files. 3. Deploy endpoint detection and response (EDR) solutions capable of detecting obfuscated PowerShell scripts and unusual image file behaviors, including Base64 payload extraction. 4. Use YARA rules targeting the reused JPEG image and associated payload hashes to detect and block known malicious files. 5. Monitor network traffic for connections to suspicious IP addresses identified in the campaign and block or alert on such communications. 6. Educate users on the risks of opening unsolicited Office documents and executing embedded scripts. 7. Employ application whitelisting to prevent execution of unauthorized HTA and PowerShell scripts. 8. Conduct regular threat hunting exercises focusing on indicators related to this campaign, including the specific SHA256 hashes and image-based payload embedding techniques. 9. Maintain robust backup and incident response plans to quickly recover from potential infections. 10. Collaborate with threat intelligence sharing platforms to stay updated on evolving tactics related to this campaign.