Growing Threat: Exploitation of Trusted File Formats by Cybercriminals
In a troubling trend, cybersecurity experts are observing an alarming increase in hackers exploiting trusted file formats and lightweight scripting environments as a means to evade detection. A specific campaign recently identified has been found to leverage Lua-based loaders, further complicating efforts to safeguard against cyber threats.
This malicious campaign cleverly disguises its activities by masquerading as TrueType (.ttf) font files to deploy various forms of commodity malware. Notable examples of the malware being distributed include Remcos RAT, Agent Tesla, XWorm, and several variants of the Snake Keylogger. Such an approach not only obfuscates the true intent of the malware but also adds a layer of deception, making it easier for attackers to ensnare unwitting victims.
Emails utilized in this campaign impersonate legitimate businesses and reputable brands, often using payment-themed pretexts to coerce potential victims into opening malicious archives. This tactic capitalizes on the psychological pressure placed on recipients, increasing the likelihood that they will inadvertently expose themselves to harm.
The initial phase of the attack begins with phishing emails that contain malicious attachments or links that lead to malicious downloads. Once victims interact with these emails, they find themselves confronted with heavily obfuscated JavaScript loaders housed within these malicious archives. These loaders are padded with extraneous junk code and protected through sophisticated techniques such as control flow flattening and anti-tampering measures.
Crucial strings, including ActiveX objects and file paths, are dynamically reconstructed during runtime utilizing split-and-join operations to effectively bypass signature-based detection systems. This approach makes it significantly more challenging for traditional security measures to identify and neutralize the threat before it can wreak havoc on a system.
As the execution unfolds, conditional checks are put in place to gate access to the malware, ensuring persistence is established through Scheduled Tasks. The script cleverly copies itself into the %PUBLIC%\Libraries directory, further entrenching its presence on the victim’s machine.
Following this stage, the loader extracts embedded payloads through a complex, multi-step process that includes string reversal, delimiter stripping, and Base64 decoding. This ultimately results in the deployment of components such as LuaJIT or AutoIt interpreters, along with encoded data blobs, massively complicating detection efforts.
One noteworthy innovation in this campaign is the abuse of .ttf files as containers for Lua scripts, which are executed through LuaJIT. Researchers from Fortinet have meticulously tracked the evolution of these phishing-driven operations, which incorporate fileless execution, multi-layered obfuscation, and sophisticated LuaJIT loaders.
The presence of metadata artifacts within the dropped binaries confirms the integration of LuaJIT components and its Foreign Function Interface (FFI), enabling direct interaction with native APIs. This interaction can further obscure an attacker’s activities from security measures.
As the campaign evolves, Lua loaders utilize a layered decryption pipeline that complicates traditional static string analysis. Hardcoded payload strings undergo a rotation cipher, dynamically derived to mask the true intent of the malware. Randomized decoy memory regions and a variety of encryption techniques serve to further mask the payload, making it exceedingly difficult for security solutions to detect the threat until it is too late.
Recently identified variants showcase significant advancements in the use of anti-debugging techniques, including API unhooking and breakpoint neutralization. In an effort to conceal their malicious intent, payloads are segmented into memory pages that are marked as non-accessible, only decrypting the necessary portions of code just-in-time for execution via a Vectored Exception Handler (VEH). This tactic effectively permits the code to remain hidden until runtime, complicating both static and dynamic analyses.
The final payload is often delivered using Donut shellcode generators, allowing in-memory execution of Portable Executable (PE) files through reflective loading. This method circumvents common forensic analysis practices, as the malware operates without leaving noticeable traces on the disk.
Parallel cyber campaigns have emerged that utilize AutoIt-based loaders, where attackers drop an AutoIt interpreter alongside their script and encoded payload. In these cases, attackers employ legitimate process execution methods to inject decrypted shellcode, maintaining a façade of normalcy while carrying out malicious acts.
The variety of malware being disseminated through this campaign includes not only Remcos RAT but also Agent Tesla, XWorm, and variations dubbed the “Best Private LOGGER.” Analysis indicates that the latter is essentially a modified Snake Keylogger, thus emphasizing the interconnectivity and shared tactics among various threat actors.
Equally concerning is how the campaign utilizes business email compromise (BEC) themes and well-established branding strategies to significantly elevate the rates of successful infections. Research has shown that over time, the complexity of the loaders has rapidly increased, evolving from simple ROT-based decoding mechanisms to more intricate, layered encryption strategies.
In conclusion, this alarming trend denotes a growing movement within the cybercrime landscape where attackers artfully blend scripting languages such as Lua and AutoIt with fileless execution techniques to bypass cutting-edge defenses. The abuse of benign file extensions like .ttf clearly underscores an urgent need for deeper content inspection and behavioral analysis within enterprise security measures, ensuring robust defenses against these evolving cyber threats.

