Wednesday, December 6, 2023

OceanLotus APT Hackers Group using Steganography to Launch an Encrypted Malware Payload via .png Image File

A Well-known APT Group OceanLotus leveraging a steganography method to hide the encrypted malware payload within a .png image file to infect the targeted system.

OceanLotus group known for Multiple attack campaigns around the globe, the threat actor group targets private sectors across multiple industries, foreign governments.

Steganography, a method used by attackers to hide the malicious code within the image that is mainly employed by exploit kits to hide the malvertising traffic.

Attackers using 2 different backdoors within this campaign, both are distributing the via encrypted and an obfuscated loader .

In order to increase the infection success ratio, APT Groups are heavily investing to develop the highly sophisticated hacking tools.

First steganography loader mimics the McAfee’s McVsoCfg DLL and drops in to the targeted system along with legitimate “On Demand Scanner” executable.

In this case, attackers launching this first loader via a separate .png image file which is not a malicious one, but the PNG file was abused and load the payload using steganography which utilizes the least significant bits of each pixel’s color code to store hidden information.

Attackers made up this payload that encrypted with AES128 and further obfuscated with XOR to bypass the steganography detection tools.

Second steganography loader using same payload extraction routine as the previous loader but it differs from decryption routine and anti-analysis technique and this loader is an updated version of Remy backdoor.

Second payload contains some of the serious future including Side-loaded DLL, Anti-debugging/anti-sandboxing, AES128 implementation from Crypto++ library for payload decryption.

Image containing encoded payload

Loader Launching the Backdoor

Attackers launching the final backdoor from the Launcher DLL that contains an encrypted backdoor in its resources along with one or more C2 communication modules.

Decoding Process

In this case, Backdoor DLL and the C2 communication DLLs are heavily obfuscated using tons of junk code that makes more difficult for debugging and static analysis.

According to cylance report , In addition to Denes and Remy backdoors, at least two different communication modules were observed with different versions of this launcher – DNSProvider and HTTPProv

The launcher binary, which contains the final backdoor, is RC4 encrypted and wrapped in a layer of obfuscated shellcode.

Finally shellcode execute and launch the C2 communication module resources that compressed with LZMA.

Later the malware communicates with the with an attacker to receive the various commands to steal the various sensitive information. You can Also read the complete technical analysis report here.

Indicators of Compromise (IOCs)

Loader 1

ae1b6f50b166024f960ac792697cd688be9288601f423c15abbc755c66b6daa4 –SHA256 Loader #1 0ee693e714be91fd947954daee85d2cd8d3602e9d8a840d520a2b17f7c80d999 SHA256 Loader #1 a2719f203c3e8dcdcc714dd3c1b60a4cbb5f7d7296dbb88b2a756d85bf0e9c1e SHA256 Loader #1

Loader 2

4c02b13441264bf18cc63603b767c3d804a545a60c66ca60512ee59abba28d4d SHA256 Loader #2 e0fc83e57fbbb81cbd07444a61e56e0400f7c54f80242289779853e38beb341e SHA256 Loader #2 cd67415dd634fd202fa1f05aa26233c74dc85332f70e11469e02b370f3943b1d SHA256 Loader #2

PNG Payload

72441fe221c6a25b3792d18f491c68254e965b0401a845829a292a1d70b2e49a SHA256 Payload PNG (loader #1) 11b4c284b3c8b12e83da0b85f59a589e8e46894fa749b847873ed6bab2029c0f SHA256 Payload PNG (loader #2) d78a83e9bf4511c33eaab9a33ebf7ccc16e104301a7567dd77ac3294474efced SHA256 Payload PNG (loader #2)

Course: Learn Malware Analysis – Advance Malware Analyst Bundle

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.


Latest articles

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles