BlackBerry Cylance recently uncovered a novel malware payload loader during our ongoing surveillance of the OceanLotus (APT32) group. The loader uses steganography to read an encrypted payload concealed within a .png image file. Download the OceanLotus Steganography Malware Analysis white paper for further details on how this APT:
- Utilizes a steganography algorithm to minimize visual differences between clean and infected images
- Uses an obfuscated loader to load one of the APT’s favored backdoors, often Denes or Remy
- Invests in bespoke tooling, and what their continued focus on this area may mean
- Obfuscates their malware by imitating well-known DLLs
- Implements multiple anti-analysis checks into their loaders
The OceanLotus Steganography Malware Analysis white paper offers an in-depth look at two concerning technical achievements recently employed by this APT. It is a must-read for professionals wishing to stay informed of the latest tactics and tools implemented by global threat groups.