OceanLotus threat actor group leverages Steganography to deliver backdoors

• The threat actors are using the steganography technique to drop variants of Denes and Remy backdoors on the affected systems.
• These variants are delivered by concealing them within PNG image files.

The notorious OceanLoutus APT group has been found using the old-school trick to load backdoor malware on compromised systems. The threat actors are using the traditional steganography technique to drop variants of Denes and Remy backdoors on the affected systems.

What’s the matter - According to the report published by the Cylance Research and Intelligence Team, OceanLotus are using a novel payload loader that makes use of steganography technique. The technique is leveraged to conceal an updated version of Remy backdoor and a version of Denes backdoor within PNG image files.

“While continuing to monitor the activity of the OceanLotus APT Group, our researchers uncovered a novel payload loader that utilizes steganography to read an encrypted payload concealed within a .png image file,” said the Cylance researchers.

How it works - Researchers noted that the steganography algorithm used by the APT32 group seems to specifically designed for this purpose. It uses at least significant bit approach to minimize visual differences and prevent detection by malware detection tools.

“The steganography algorithm appears to be bespoke and utilizes a least significant bit approach to minimize visual differences when compared with the original image to prevent analysis by discovery tools,” added the researchers.

Once the algorithm is decoded and executed, the loader will load one of the backdoors.

About the backdoors - Further analysis revealed that the two malware loaders use side-loaded DLLs and an “AES128 implementation from Crypto++ library for payload decryption", Bleeping Computer reported.

The backdoor malware variants and the C2 communication are heavily obfuscated with huge quantities of junk code in order to make the detection analysis as cumbersome as possible.

The backdoor’s command-and-control server communicates via HTTP/HTTPS channels.