A bunch of attackers focusing on Ukraine-affiliated organizations has been delivering malicious payloads hidden inside the pixels of picture recordsdata. Referred to as steganography, it is only one of many superior strategies the group makes use of to evade detection as a part of a malware loader often known as IDAT.
Tracked as UAC-0184 by a number of safety companies, in addition to the Laptop Emergency Response Staff of Ukraine (CERT-UA), the group was seen targeting Ukrainian servicemen by way of phishing emails masquerading as messages from Ukraine’s third Separate Assault Brigade and the Israeli Protection Forces (IDF). Whereas a lot of the recipients of those messages have been situated in Ukraine, safety agency Morphisec has confirmed targets exterior of the nation as properly.
“Whereas the adversary strategically focused Ukraine-based entities, they apparently sought to develop to further entities affiliated with Ukraine,” researchers mentioned in a new report. “Morphisec findings dropped at the forefront a extra particular goal — Ukraine entities primarily based in Finland.” Morphisec additionally noticed the brand new steganography strategy in delivering malicious payloads after the preliminary compromise.
Staged malware injection ends with Remcos trojan
The assaults detected by Morphisec delivered a malware loader often known as IDAT or HijackLoader that has been used previously to ship a wide range of trojans and malware packages together with Danabot, SystemBC, and RedLine Stealer. On this case, UAC-0184 used it to deploy a industrial distant entry trojan (RAT) program referred to as Remcos.
“Distinguished by its modular structure, IDAT employs distinctive options like code injection and execution modules, setting it aside from typical loaders,” the Morphisec researchers mentioned. “It employs refined strategies corresponding to dynamic loading of Home windows API capabilities, HTTP connectivity checks, course of blocklists, and syscalls to evade detection. The an infection means of IDAT unfolds in a number of phases, every serving distinct functionalities.”
The an infection occurs in phases, with the primary stage making a name to a distant URL to entry a .js (JavaScript) file. The code on this file tells the executable the place to search for an encrypted code block inside its personal file and the important thing that must be used to decrypt it.
The IDAT configuration utilized by the attackers additionally makes use of an embedded PNG file whose contents are searched to find and extract the payload utilizing location 0xEA79A5C6 as the place to begin. Malware code will be hidden within the pixel information of picture and video recordsdata with out essentially impacting how these recordsdata work or the media data they include. Whereas this isn’t a brand new approach for malware authors, it’s not generally noticed.
