Thursday, April 18, 2024

OceanLotus APT Hackers Group using Steganography to Launch an Encrypted Malware Payload via .png Image File

A Well-known APT Group OceanLotus leveraging a steganography method to hide the encrypted malware payload within a .png image file to infect the targeted system.

OceanLotus group known for Multiple attack campaigns around the globe, the threat actor group targets private sectors across multiple industries, foreign governments.

Steganography, a method used by attackers to hide the malicious code within the image that is mainly employed by exploit kits to hide the malvertising traffic.

Attackers using 2 different backdoors within this campaign, both are distributing the via encrypted and an obfuscated loader .

In order to increase the infection success ratio, APT Groups are heavily investing to develop the highly sophisticated hacking tools.

First steganography loader mimics the McAfee’s McVsoCfg DLL and drops in to the targeted system along with legitimate “On Demand Scanner” executable.

In this case, attackers launching this first loader via a separate .png image file which is not a malicious one, but the PNG file was abused and load the payload using steganography which utilizes the least significant bits of each pixel’s color code to store hidden information.

Attackers made up this payload that encrypted with AES128 and further obfuscated with XOR to bypass the steganography detection tools.

Second steganography loader using same payload extraction routine as the previous loader but it differs from decryption routine and anti-analysis technique and this loader is an updated version of Remy backdoor.

Second payload contains some of the serious future including Side-loaded DLL, Anti-debugging/anti-sandboxing, AES128 implementation from Crypto++ library for payload decryption.

Image containing encoded payload

Loader Launching the Backdoor

Attackers launching the final backdoor from the Launcher DLL that contains an encrypted backdoor in its resources along with one or more C2 communication modules.

Decoding Process

In this case, Backdoor DLL and the C2 communication DLLs are heavily obfuscated using tons of junk code that makes more difficult for debugging and static analysis.

According to cylance report , In addition to Denes and Remy backdoors, at least two different communication modules were observed with different versions of this launcher – DNSProvider and HTTPProv

The launcher binary, which contains the final backdoor, is RC4 encrypted and wrapped in a layer of obfuscated shellcode.

Finally shellcode execute and launch the C2 communication module resources that compressed with LZMA.

Later the malware communicates with the with an attacker to receive the various commands to steal the various sensitive information. You can Also read the complete technical analysis report here.

Indicators of Compromise (IOCs)

Loader 1

ae1b6f50b166024f960ac792697cd688be9288601f423c15abbc755c66b6daa4 –SHA256 Loader #1 0ee693e714be91fd947954daee85d2cd8d3602e9d8a840d520a2b17f7c80d999 SHA256 Loader #1 a2719f203c3e8dcdcc714dd3c1b60a4cbb5f7d7296dbb88b2a756d85bf0e9c1e SHA256 Loader #1

Loader 2

4c02b13441264bf18cc63603b767c3d804a545a60c66ca60512ee59abba28d4d SHA256 Loader #2 e0fc83e57fbbb81cbd07444a61e56e0400f7c54f80242289779853e38beb341e SHA256 Loader #2 cd67415dd634fd202fa1f05aa26233c74dc85332f70e11469e02b370f3943b1d SHA256 Loader #2

PNG Payload

72441fe221c6a25b3792d18f491c68254e965b0401a845829a292a1d70b2e49a SHA256 Payload PNG (loader #1) 11b4c284b3c8b12e83da0b85f59a589e8e46894fa749b847873ed6bab2029c0f SHA256 Payload PNG (loader #2) d78a83e9bf4511c33eaab9a33ebf7ccc16e104301a7567dd77ac3294474efced SHA256 Payload PNG (loader #2)

Course: Learn Malware Analysis – Advance Malware Analyst Bundle

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.


Latest articles

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a...

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber...

FGVulDet – New Vulnerability Detector to Analyze Source Code

Detecting source code vulnerabilities aims to protect software systems from attacks by identifying inherent...

North Korean Hackers Abuse DMARC To Legitimize Their Emails

DMARC is targeted by hackers as this serves to act as a preventative measure...

L00KUPRU Ransomware Attackers discovered in the wild

A new variant of the Xorist ransomware, dubbed L00KUPRU, has been discovered in the...

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...

Outlook Login Panel Themed Phishing Attack Evaded All Antivirus Detections

Cybersecurity researchers have uncovered a new phishing attack that has bypassed all antivirus detections.The...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles