You must Register or Sign in to your Cyware account to perform this action
×Once you are logged in, you will be able to:
Customize your feeds by selecting categories you like
Comment on or Like an article
Receive the latest security stories, trends, and insights in your inbox
Build your profile and login across multiple devices
Bookmark a story and read it later
- Home
- Hacker News
- Threat Actors
- OceanLotus threat actor group leverages Steganography to deliver backdoors

OceanLotus threat actor group leverages Steganography to deliver backdoors
OceanLotus threat actor group leverages Steganography to deliver backdoors- April 3, 2019
- |
- Threat Actors
/https://cystory-images.s3.amazonaws.com/shutterstock_507108913.jpg)
- The threat actors are using the steganography technique to drop variants of Denes and Remy backdoors on the affected systems.
- These variants are delivered by concealing them within PNG image files.
The notorious OceanLoutus APT group has been found using the old-school trick to load backdoor malware on compromised systems. The threat actors are using the traditional steganography technique to drop variants of Denes and Remy backdoors on the affected systems.
What’s the matter - According to the report published by the Cylance Research and Intelligence Team, OceanLotus are using a novel payload loader that makes use of steganography technique. The technique is leveraged to conceal an updated version of Remy backdoor and a version of Denes backdoor within PNG image files.
“While continuing to monitor the activity of the OceanLotus APT Group, our researchers uncovered a novel payload loader that utilizes steganography to read an encrypted payload concealed within a .png image file,” said the Cylance researchers.
How it works - Researchers noted that the steganography algorithm used by the APT32 group seems to specifically designed for this purpose. It uses at least significant bit approach to minimize visual differences and prevent detection by malware detection tools.
“The steganography algorithm appears to be bespoke and utilizes a least significant bit approach to minimize visual differences when compared with the original image to prevent analysis by discovery tools,” added the researchers.
Once the algorithm is decoded and executed, the loader will load one of the backdoors.
About the backdoors - Further analysis revealed that the two malware loaders use side-loaded DLLs and an “AES128 implementation from Crypto++ library for payload decryption", Bleeping Computer reported.
The backdoor malware variants and the C2 communication are heavily obfuscated with huge quantities of junk code in order to make the detection analysis as cumbersome as possible.
The backdoor’s command-and-control server communicates via HTTP/HTTPS channels.
- + Aware
Get such articles in your inbox
News
-
Previous News Misconfigured database operated by hackers found exposing almost 5GB of stolen credentials
- April 3, 2019
- |
- Breaches and Incidents
Popular News
Related News
-
Tetris game app used to distribute PyXie Python RAT
- December 4, 2019
- |
- Malware and Vulnerabilities
Categories
Get such articles in your inbox
News
-
Previous News Misconfigured database operated by hackers found exposing almost 5GB of stolen credentials
- April 3, 2019
- |
- Breaches and Incidents
Popular News
Related News
-
Tetris game app used to distribute PyXie Python RAT
- December 4, 2019
- |
- Malware and Vulnerabilities
Categories
