Thursday, March 28, 2024

OceanLotus APT Hackers Group using Steganography to Launch an Encrypted Malware Payload via .png Image File

A Well-known APT Group OceanLotus leveraging a steganography method to hide the encrypted malware payload within a .png image file to infect the targeted system.

OceanLotus group known for Multiple attack campaigns around the globe, the threat actor group targets private sectors across multiple industries, foreign governments.

Steganography, a method used by attackers to hide the malicious code within the image that is mainly employed by exploit kits to hide the malvertising traffic.

Attackers using 2 different backdoors within this campaign, both are distributing the via encrypted and an obfuscated loader .

In order to increase the infection success ratio, APT Groups are heavily investing to develop the highly sophisticated hacking tools.

First steganography loader mimics the McAfee’s McVsoCfg DLL and drops in to the targeted system along with legitimate “On Demand Scanner” executable.

In this case, attackers launching this first loader via a separate .png image file which is not a malicious one, but the PNG file was abused and load the payload using steganography which utilizes the least significant bits of each pixel’s color code to store hidden information.

Attackers made up this payload that encrypted with AES128 and further obfuscated with XOR to bypass the steganography detection tools.

Second steganography loader using same payload extraction routine as the previous loader but it differs from decryption routine and anti-analysis technique and this loader is an updated version of Remy backdoor.

Second payload contains some of the serious future including Side-loaded DLL, Anti-debugging/anti-sandboxing, AES128 implementation from Crypto++ library for payload decryption.

OceanLotus
Image containing encoded payload

Loader Launching the Backdoor

Attackers launching the final backdoor from the Launcher DLL that contains an encrypted backdoor in its resources along with one or more C2 communication modules.

OceanLotus
Decoding Process

In this case, Backdoor DLL and the C2 communication DLLs are heavily obfuscated using tons of junk code that makes more difficult for debugging and static analysis.

According to cylance report , In addition to Denes and Remy backdoors, at least two different communication modules were observed with different versions of this launcher – DNSProvider and HTTPProv

The launcher binary, which contains the final backdoor, is RC4 encrypted and wrapped in a layer of obfuscated shellcode.

Finally shellcode execute and launch the C2 communication module resources that compressed with LZMA.

Later the malware communicates with the with an attacker to receive the various commands to steal the various sensitive information. You can Also read the complete technical analysis report here.

Indicators of Compromise (IOCs)

Loader 1

ae1b6f50b166024f960ac792697cd688be9288601f423c15abbc755c66b6daa4 –SHA256 Loader #1 0ee693e714be91fd947954daee85d2cd8d3602e9d8a840d520a2b17f7c80d999 SHA256 Loader #1 a2719f203c3e8dcdcc714dd3c1b60a4cbb5f7d7296dbb88b2a756d85bf0e9c1e SHA256 Loader #1

Loader 2

4c02b13441264bf18cc63603b767c3d804a545a60c66ca60512ee59abba28d4d SHA256 Loader #2 e0fc83e57fbbb81cbd07444a61e56e0400f7c54f80242289779853e38beb341e SHA256 Loader #2 cd67415dd634fd202fa1f05aa26233c74dc85332f70e11469e02b370f3943b1d SHA256 Loader #2

PNG Payload

72441fe221c6a25b3792d18f491c68254e965b0401a845829a292a1d70b2e49a SHA256 Payload PNG (loader #1) 11b4c284b3c8b12e83da0b85f59a589e8e46894fa749b847873ed6bab2029c0f SHA256 Payload PNG (loader #2) d78a83e9bf4511c33eaab9a33ebf7ccc16e104301a7567dd77ac3294474efced SHA256 Payload PNG (loader #2)

Course: Learn Malware Analysis – Advance Malware Analyst Bundle

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles