The resurgence of MSI-branded JPEG background payloads in phishing campaigns marks a significant evolution in threat actor tactics. Recently, these have been observed utilizing WeTransfer links for delivering malicious content, demonstrating innovative approaches to bypass traditional defenses. These attacks predominantly target a wide range of sectors, leveraging the familiar interface of JPEG images to conceal their payloads. Although the specific threat actors behind these campaigns remain unattributed, their impact has been felt globally, particularly among businesses with remote workforce components.

Campaign or TTP Overview

The observed phishing campaigns leverage malicious JPEG files purportedly containing MSI installers. This approach blends social engineering and technical obfuscation to deceive targets. Typically, recipients receive a seemingly benign email that directs them to download a file via WeTransfer. This download includes a JPEG image, which upon further inspection, houses an embedded MSI installer designed to execute malicious code once deployed. The pioneering aspect of this campaign is its use of legitimate file-sharing services, lending an unwarranted authentication veneer that lulls targets into a false sense of security.

These campaigns have primarily targeted industries with prevalent digital workflows—tech firms, financial services, and educational institutions. The campaigns achieve high levels of interaction due to the familiarity and authenticity associated with WeTransfer. Notably, the attackers capitalize on cloud-based file-sharing services to navigate through organizational email filters, delivering payloads under the radar.

How It Was Built

The technical anatomy of this campaign is as sophisticated as it is simple. Attackers use the WeTransfer service to send an email to potential victims, containing a download link for a file labeled as a report, invoice, or presentation. This file is in fact a compressed archive with a JPEG file inside.

Subject: Project Documentation - Fall 2023

From: notifications@wetransfer.com

Download Link: hxxps://wetransfer[.]com/downloads/abcdef123456

The JPEG image is not just an image; rather, it has the MSI installer embedded in its metadata. Upon downloading the file, users are instructed to “view” it using specific tools, under the guise of needing the report in a specific format. Once executed, the MSI deploys malware designed to exfiltrate data or initiate further downloads of more malicious components. The effectiveness stems from the clever construction of an innocent-looking JPEG, masking a harmful MSI loader.

Why It Worked

The choice of WeTransfer was strategic, leveraging the platform’s widespread legitimacy and trusted status, allowing phishing emails to bypass filtering mechanisms. This approach exploits the recipient’s perception that files received from WeTransfer are unlikely to be harmful.

Additionally, the use of MSI-branded JPEGs is a novel evolution of the classic steganography tactic. By embedding MSI installers within an image file format commonly shared across professional networks, attackers effectively conceal their payload in plain sight. This subtlety is compounded by social engineering that speaks directly to the recipient’s professional expectations—downloading and handling reports or presentations is a daily routine for the target demographic.

The blending of these tactics results in a scheme that not only delivers its payload but also engages and entices the recipient to act on the download, an element further underscored by professionally phrased email text that mimics standard corporate communication.

Operator Takeaways

Red teamers can draw several lessons from this resurgence of tactics. Firstly, the leveraging of legitimate platforms such as WeTransfer should inform future efforts to bypass conventional security controls. The incorporation of file format misdirection, using images as transportation mediums for scripts or executables, should also be explored for creating innovative engagement strategies.

Additionally, focused social engineering that aligns with the target’s roles and responsibilities can significantly improve campaign yield. When designing simulations, consider the target’s normal workflows and tailor the delivery method and content accordingly.

Do’s and Don’ts

• Do use legitimate services to deliver your payloads. This approach enhances trust and reduces suspicion.
• Do ensure the content and context align with expected recipient behaviors. Campaigns work best when integrated into the recipient’s routine tasks.
• Don’t overlook the importance of the email’s linguistic quality. Errors in grammar or syntax can break the illusion.
• Don’t rely solely on one method. Blending different tactics (e.g., social engineering and technical evasion) enhances overall effectiveness.

References

• WeTransfer-based phishing leveraging MSI-branded JPEG payloads
• Malware Traffic Analysis

Related Reading

• What is a JPEG Payload in Phishing?
• Techniques for Embedding Payloads in Image Files for Phishing
• Leveraging Image-Based Payload Delivery in Phishing Campaigns
• Advanced Techniques in Payload Delivery for Phishing Campaigns

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.