A bunch of attackers concentrating on Ukraine-affiliated organizations has been delivering malicious payloads hidden inside the pixels of picture recordsdata. Referred to as steganography, it is only one of many superior methods the group makes use of to evade detection as a part of a malware loader often known as IDAT.
Tracked as UAC-0184 by a number of security corporations, in addition to the Laptop Emergency Response Staff of Ukraine (CERT-UA), the group was seen concentrating on Ukrainian servicemen through phishing emails masquerading as messages from Ukraine’s third Separate Assault Brigade and the Israeli Protection Forces (IDF). Whereas a lot of the recipients of those messages had been positioned in Ukraine, security agency Morphisec has confirmed targets outdoors of the nation as nicely.
“Whereas the adversary strategically focused Ukraine-based entities, they apparently sought to develop to further entities affiliated with Ukraine,” researchers mentioned in a brand new report. “Morphisec findings dropped at the forefront a extra particular goal — Ukraine entities primarily based in Finland.” Morphisec additionally noticed the brand new steganography strategy in delivering malicious payloads after the preliminary compromise.
Staged malware injection ends with Remcos trojan
The assaults detected by Morphisec delivered a malware loader often known as IDAT or HijackLoader that has been used up to now to ship a wide range of trojans and malware applications together with Danabot, SystemBC, and RedLine Stealer. On this case, UAC-0184 used it to deploy a industrial distant entry trojan (RAT) program referred to as Remcos.
“Distinguished by its modular structure, IDAT employs distinctive options like code injection and execution modules, setting it aside from standard loaders,” the Morphisec researchers mentioned. “It employs refined methods comparable to dynamic loading of Home windows API features, HTTP connectivity checks, course of blocklists, and syscalls to evade detection. The an infection means of IDAT unfolds in a number of levels, every serving distinct functionalities.”
The an infection occurs in levels, with the primary stage making a name to a distant URL to entry a .js (JavaScript) file. The code on this file tells the executable the place to search for an encrypted code block inside its personal file and the important thing that must be used to decrypt it.
The IDAT configuration utilized by the attackers additionally makes use of an embedded PNG file whose contents are searched to find and extract the payload utilizing location 0xEA79A5C6 as the start line. Malware code could be hidden within the pixel information of picture and video recordsdata with out essentially impacting how these recordsdata work or the media data they include. Whereas this isn’t a brand new method for malware authors, it’s not generally noticed.
