On January 5th Raytheon|Websense® researchers noticed an interesting e-mail sample from a recent and ongoing e-mail campaign which contained a malicious document attachment and downloaded malware in a unique way. The Microsoft Office Word document downloaded the malicious payload from a JPG file but, where a normal browsing user would see an image of Kangaroo, the malicious document saw a different file - the Ursnif credential stealer.
fig 1. Actual image hosted on command-and-control server
Executive Summary