A Well-known APT Group OceanLotus leveraging a steganography method to hide the encrypted malware payload within a .png image file to infect the targeted system.
OceanLotus group known for Multiple attack campaigns around the globe, the threat actor group targets private sectors across multiple industries, foreign governments.
Steganography, a method used by attackers to hide the malicious code within the image that is mainly employed by exploit kits to hide the malvertising traffic.
Attackers using 2 different backdoors within this campaign, both are distributing the via encrypted and an obfuscated loader .
In order to increase the infection success ratio, APT Groups are heavily investing to develop the highly sophisticated hacking tools.
First steganography loader mimics the McAfee’s McVsoCfg DLL and drops in to the targeted system along with legitimate “On Demand Scanner” executable.
In this case, attackers launching this first loader via a separate .png image file which is not a malicious one, but the PNG file was abused and load the payload using steganography which utilizes the least significant bits of each pixel’s color code to store hidden information.
Attackers made up this payload that encrypted with AES128 and further obfuscated with XOR to bypass the steganography detection tools.
Second steganography loader using same payload extraction routine as the previous loader but it differs from decryption routine and anti-analysis technique and this loader is an updated version of Remy backdoor.
Second payload contains some of the serious future including Side-loaded DLL, Anti-debugging/anti-sandboxing, AES128 implementation from Crypto++ library for payload decryption.
Loader Launching the Backdoor
Attackers launching the final backdoor from the Launcher DLL that contains an encrypted backdoor in its resources along with one or more C2 communication modules.
In this case, Backdoor DLL and the C2 communication DLLs are heavily obfuscated using tons of junk code that makes more difficult for debugging and static analysis.
According to cylance report , In addition to Denes and Remy backdoors, at least two different communication modules were observed with different versions of this launcher – DNSProvider and HTTPProv
The launcher binary, which contains the final backdoor, is RC4 encrypted and wrapped in a layer of obfuscated shellcode.
Finally shellcode execute and launch the C2 communication module resources that compressed with LZMA.
Later the malware communicates with the with an attacker to receive the various commands to steal the various sensitive information. You can Also read the complete technical analysis report here.
Indicators of Compromise (IOCs)
ae1b6f50b166024f960ac792697cd688be9288601f423c15abbc755c66b6daa4 –SHA256 Loader #1 0ee693e714be91fd947954daee85d2cd8d3602e9d8a840d520a2b17f7c80d999 SHA256 Loader #1 a2719f203c3e8dcdcc714dd3c1b60a4cbb5f7d7296dbb88b2a756d85bf0e9c1e SHA256 Loader #1
4c02b13441264bf18cc63603b767c3d804a545a60c66ca60512ee59abba28d4d SHA256 Loader #2 e0fc83e57fbbb81cbd07444a61e56e0400f7c54f80242289779853e38beb341e SHA256 Loader #2 cd67415dd634fd202fa1f05aa26233c74dc85332f70e11469e02b370f3943b1d SHA256 Loader #2
72441fe221c6a25b3792d18f491c68254e965b0401a845829a292a1d70b2e49a SHA256 Payload PNG (loader #1) 11b4c284b3c8b12e83da0b85f59a589e8e46894fa749b847873ed6bab2029c0f SHA256 Payload PNG (loader #2) d78a83e9bf4511c33eaab9a33ebf7ccc16e104301a7567dd77ac3294474efced SHA256 Payload PNG (loader #2)