Stenography used by OceanLotus APT to instal Denes & Remy backdoors

News by Rene Millman

Security researchers have discovered OceanLotus APT group hackers using steganography to install a backdoor as part of a campaign against foreign organisations working in VietNam's industrial sectors.

Security researchers have discovered that a Vietnamese group of hackers are using steganography techniques to install a backdoor as part of a campaign against foreign organisations working in several of the country’s industry sectors.

According to the OceanLotus Steganography Malware Analysis White Paper, released by Cylance Research, researchers uncovered a novel payload loader that uses steganography to read an encrypted payload concealed within a .png image file.

"The steganography algorithm appears to be bespoke and utilises a least significant bit approach to minimise visual differences when compared with the original image to prevent analysis by discovery tools," said researchers.

"Once decoded, decrypted, and executed, an obfuscated loader will load one of the APT32 backdoors."

Cylance has seen two backdoors being used in combination with the steganography loader – a version of Denes backdoor (bearing similarities to the one described by ESET), and an updated version of Remy backdoor.

"However, this can be easily modified by the threat actor to deliver other malicious payloads. The complexity of the shellcode and loaders shows the group continues to invest heavily in development of bespoke tooling," researchers said.

Researchers said that this particular OceanLotus malware loader attempts to imitate McAfee’s McVsoCfg DLL and expects to be side-loaded by the legitimate "On Demand Scanner" executable.

"It arrives together with an encrypted payload stored in a separate .png image file. The .png cover file is actually a valid image file that is not malicious on its own," said researchers.

The payload is encoded inside this image with the use of a technique called steganography, which uses the least significant bits of each pixel’s colour code to store hidden information, without making overtly visible changes to the picture itself.

"The encoded payload is additionally encrypted with AES128 and further obfuscated with XOR in an attempt to fool steganography detection tools," said researchers.

Dr Simon Wiseman, CTO of Deep Secure, told SC Media UK that images are an ideal threat vector.

"They are easily manipulated with scripting tools. It is possible to conceal large amounts of information in a single image without affecting how it appears," he said.

"We must completely eliminate the risk by stripping all hidden information out of all images – indiscriminating as to whether it is malicious or not. Using Content Threat Removal technology, organisations can 100 percent mitigate the risk that steganography poses by ensuring that any images that enters their network – whether that’s shared via email, uploaded to a portal, or downloaded in the cache of an image viewed on social media – have any malicious, hidden elements removed," he said.

Dr Guy Bunker CTO at Clearswift, told SC Media UK that it is almost impossible to detect steganography, but it is possible to prevent it.

"This sounds like an impossibility, but what you can do is disrupt the object carrying the payload – typically an image – such that the difference is imperceptible to the human eye, but the embedded malware / data cannot be retrieved," he said.

"Organisation first need to be aware that there is a threat (and it is growing) – and then they can think about solutions which mitigate the risk."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop