A bunch of attackers concentrating on Ukraine-affiliated organizations has been delivering malicious payloads hidden inside the pixels of picture information. Often called steganography, it is only one of many superior strategies the group makes use of to evade detection as a part of a malware loader referred to as IDAT.
Tracked as UAC-0184 by a number of safety corporations, in addition to the Pc Emergency Response Group of Ukraine (CERT-UA), the group was seen concentrating on Ukrainian servicemen by way of phishing emails masquerading as messages from Ukraine’s third Separate Assault Brigade and the Israeli Protection Forces (IDF). Whereas a lot of the recipients of those messages had been positioned in Ukraine, safety agency Morphisec has confirmed targets exterior of the nation as properly.
“Whereas the adversary strategically focused Ukraine-based entities, they apparently sought to develop to further entities affiliated with Ukraine,” researchers mentioned in a brand new report. “Morphisec findings dropped at the forefront a extra particular goal — Ukraine entities based mostly in Finland.” Morphisec additionally noticed the brand new steganography method in delivering malicious payloads after the preliminary compromise.
Staged malware injection ends with Remcos trojan
The assaults detected by Morphisec delivered a malware loader referred to as IDAT or HijackLoader that has been used previously to ship a wide range of trojans and malware applications together with Danabot, SystemBC, and RedLine Stealer. On this case, UAC-0184 used it to deploy a business distant entry trojan (RAT) program referred to as Remcos.
“Distinguished by its modular structure, IDAT employs distinctive options like code injection and execution modules, setting it aside from typical loaders,” the Morphisec researchers mentioned. “It employs subtle strategies corresponding to dynamic loading of Home windows API capabilities, HTTP connectivity exams, course of blocklists, and syscalls to evade detection. The an infection means of IDAT unfolds in a number of phases, every serving distinct functionalities.”
The an infection occurs in phases, with the primary stage making a name to a distant URL to entry a .js (JavaScript) file. The code on this file tells the executable the place to search for an encrypted code block inside its personal file and the important thing that must be used to decrypt it.
The IDAT configuration utilized by the attackers additionally makes use of an embedded PNG file whose contents are searched to find and extract the payload utilizing location 0xEA79A5C6 as the start line. Malware code might be hidden within the pixel information of picture and video information with out essentially impacting how these information work or the media info they comprise. Whereas this isn’t a brand new approach for malware authors, it’s not generally noticed.
