The popular hacking group, OceanLotus, Advanced Persistent Threat group 32 (APT32) is using a steganography-based file loader to drop various backdoors on users’ computers. Steganography is the practice of sending data in a hidden format so that the sent information itself is disguised. This type of attack is now being seen imbedded inside malware to assist hackers in extracting more information from a host’s computer.
How these programs are being introduced is into the users through a style of image called PNG, a PNG image is a more open sourced style format than the traditional JPEG image format. The steganography-based file loader can be easily altered by the threat actor to deliver other malicious malware. The backdoor loading process begins when the payload is decoded, decrypted and executed to load the backdoor opening program in the user’s computer. The file uses a large amount of junk information to inflate its size to make debugging more difficult.
Analyst Notes
Users should ensure that their malware detection programs are as up to date as possible by either using an auto-update feature or by updating their program manually on a regular basis. Also it is advised to download images from trusted sources or the originator of the image.
