Saturday, July 13, 2024

OceanLotus APT Hackers Group using Steganography to Launch an Encrypted Malware Payload via .png Image File

A Well-known APT Group OceanLotus leveraging a steganography method to hide the encrypted malware payload within a .png image file to infect the targeted system.

OceanLotus group known for Multiple attack campaigns around the globe, the threat actor group targets private sectors across multiple industries, foreign governments.

Steganography, a method used by attackers to hide the malicious code within the image that is mainly employed by exploit kits to hide the malvertising traffic.

Attackers using 2 different backdoors within this campaign, both are distributing the via encrypted and an obfuscated loader .

In order to increase the infection success ratio, APT Groups are heavily investing to develop the highly sophisticated hacking tools.

First steganography loader mimics the McAfee’s McVsoCfg DLL and drops in to the targeted system along with legitimate “On Demand Scanner” executable.

In this case, attackers launching this first loader via a separate .png image file which is not a malicious one, but the PNG file was abused and load the payload using steganography which utilizes the least significant bits of each pixel’s color code to store hidden information.

Attackers made up this payload that encrypted with AES128 and further obfuscated with XOR to bypass the steganography detection tools.

Second steganography loader using same payload extraction routine as the previous loader but it differs from decryption routine and anti-analysis technique and this loader is an updated version of Remy backdoor.

Second payload contains some of the serious future including Side-loaded DLL, Anti-debugging/anti-sandboxing, AES128 implementation from Crypto++ library for payload decryption.

Image containing encoded payload

Loader Launching the Backdoor

Attackers launching the final backdoor from the Launcher DLL that contains an encrypted backdoor in its resources along with one or more C2 communication modules.

Decoding Process

In this case, Backdoor DLL and the C2 communication DLLs are heavily obfuscated using tons of junk code that makes more difficult for debugging and static analysis.

According to cylance report , In addition to Denes and Remy backdoors, at least two different communication modules were observed with different versions of this launcher – DNSProvider and HTTPProv

The launcher binary, which contains the final backdoor, is RC4 encrypted and wrapped in a layer of obfuscated shellcode.

Finally shellcode execute and launch the C2 communication module resources that compressed with LZMA.

Later the malware communicates with the with an attacker to receive the various commands to steal the various sensitive information. You can Also read the complete technical analysis report here.

Indicators of Compromise (IOCs)

Loader 1

ae1b6f50b166024f960ac792697cd688be9288601f423c15abbc755c66b6daa4 –SHA256 Loader #1 0ee693e714be91fd947954daee85d2cd8d3602e9d8a840d520a2b17f7c80d999 SHA256 Loader #1 a2719f203c3e8dcdcc714dd3c1b60a4cbb5f7d7296dbb88b2a756d85bf0e9c1e SHA256 Loader #1

Loader 2

4c02b13441264bf18cc63603b767c3d804a545a60c66ca60512ee59abba28d4d SHA256 Loader #2 e0fc83e57fbbb81cbd07444a61e56e0400f7c54f80242289779853e38beb341e SHA256 Loader #2 cd67415dd634fd202fa1f05aa26233c74dc85332f70e11469e02b370f3943b1d SHA256 Loader #2

PNG Payload

72441fe221c6a25b3792d18f491c68254e965b0401a845829a292a1d70b2e49a SHA256 Payload PNG (loader #1) 11b4c284b3c8b12e83da0b85f59a589e8e46894fa749b847873ed6bab2029c0f SHA256 Payload PNG (loader #2) d78a83e9bf4511c33eaab9a33ebf7ccc16e104301a7567dd77ac3294474efced SHA256 Payload PNG (loader #2)

Course: Learn Malware Analysis – Advance Malware Analyst Bundle

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles