Threat actors are using steganography by embedding malware within bitmap resources in benign 32-bit .NET apps, enabling multi-stage payload execution that evades detection. This tactic targets finance and logistics sectors globally with sophisticated obfuscation. (Affected: Financial sector, Logistics sector, .NET applications)
Keypoints :
- Malware hidden in bitmap resources embedded in legitimate 32-bit .NET executable files.
- Campaign primarily targeted financial organizations in TΓΌrkiye and logistics sectors in Asia via malspam emails.
- The attack uses a multi-stage payload execution chain involving deobfuscation and loading of secondary DLLs.
- Payloads include Agent Tesla keylogger, XLoader, and Remcos RAT malware families.
- Obfuscation techniques include metadata renaming, opcode replacement, control flow obfuscation, and string encryption.
- Final payloads exfiltrate data via SMTP servers with credentials hardcoded in configuration.
- The unpacking process involves loading bitmap resources as .NET DLLs and then extracting the final executable using XOR and subtraction decryption.
- Threat actors timestomp timestamps and use native language email subjects for regional targeting and evasion.
- Detection improvements suggested via hooking key .NET resource loading and assembly API calls.
- Palo Alto Networks offers advanced protections through WildFire, Cortex XDR, XSIAM, URL Filtering, and DNS Security.
MITRE Techniques :
- Obfuscated Files or Information (T1027) – Using bitmap steganography within .NET resources to conceal payloads.
- Malicious File (T1204.002) – Delivery via malicious spam email with disguised .NET executables.
- Deobfuscate/Decode Files or Information (T1140) – Multi-stage process to decrypt and load secondary DLL and final payload.
- Process Injection (T1055) – Reflective loading and late binding to execute payloads within host process.
- Command and Control (T1071) – SMTP and web-based C2 channels for data exfiltration.
- Scheduled Task/Job (T1053) – Use of timestomp to hide creation timings and evade detection timelines.
- Dynamic Code Loading (T1543) – Runtime loading of assemblies from byte arrays embedded in bitmap resources.
- Credential Dumping (T1003) – Extraction of hardcoded SMTP credentials used for data exfiltration.
- Data Obfuscation (T1001) – Encryption and manipulation of strings and control flow during execution.
- Indicator Removal on Host (T1070) – Timestomping PE header timestamps to confuse forensic analysis.
Indicator of Compromise :
- The article includes SHA-256 hashes of multiple malware samples from Agent Tesla, XLoader, and Remcos RAT families.
- Indicators include email servers and credentials used for SMTP data exfiltration such as hosting2.ro.hostsailor.com:587 with specific usernames and passwords.
- C2 URLs like www.sixfiguredigital.group/aoc3/ and www.yperlize.net/aa02/ are linked to data exfiltration.
- IP addresses and hostnames serving as C2 infrastructure for Remcos RAT are outlined, e.g., 103.198.26.222:9373 and myhost001.myddns.me:9373.
- Use of timestomped PE file timestamps to mask malware build times is an artifact useful in forensic analysis.
Read more: https://unit42.paloaltonetworks.com/malicious-payloads-as-bitmap-resources-hide-net-malware/
Views: 37