Attackers leveraged .NET assemblies with bitmap assets to hide distant entry trojans (RATs) in a latest malspam marketing campaign, Palo Alto Networks’ Unit 42 reported Friday. Unit 42 researchers found RATs, together with Agent Tesla and Remcos RAT, in addition to the XLoader infostealer, hidden in in any other case benign 32-bit .NET information distributed by way of e-mail and labeled as requests for citation, buy orders or different business-related paperwork.A pattern from the marketing campaign, which principally focused the monetary business in Turkey and the logistics sector in Asia, was analyzed by Unit 42 to uncover its full assault chain particulars. This pattern was a duplicate of the official utility Home windows Kind OCR with the malware embedded within the useful resource part of the .NET meeting.The assault concerned a number of levels, beginning with the preliminary executable xgDV.exe, which the report authors famous contained customized strategies and parameters following an underwater theme (ex. AbyssalScan, MarineExploration, VerifyOxygenSaturation).Step one of the method includes unpacking a dynamic hyperlink library (DLL) referred to as TL.dll from the bitmap useful resource named “sv,” which serves as a loader for the subsequent stage of the assault. TL.dll is then used to unpack a second bitmap from the unique executable, referred to as rbzR, into Montero.dll.Montero.dll itself accommodates a .NET byte array useful resource referred to as uK5APqTdSG, which it unpacks into the ultimate payload Remington.exe, a variant of the Agent Tesla RAT. Montero.dll makes use of XOR encryption with subtraction to deobfuscate the uK5APqTdSG byte array and in the end load and execute Remington.exe.This method is a type of steganography, the place malicious code is hidden inside picture information. On this case, the pictures are embedded instantly inside the .NET assemblies, reasonably than being downloaded from an exterior supply, and simply retrieved from the uncooked bitmap (BMP) picture information format.Unit 42 explains that this evasion method could be combatted by making a debugger utilizing the .NET Framework’s ICorDebugManagedCallback interface to hook the next API features:System.Sources.ResourceManager::GetObject(string identify) System.AppDomain::Load(byte[] rawAssembly) System.Reflection.Meeting::Load(byte[] rawAssembly)
Hooking these features will quickly pause execution at sure factors to retrieve information when embedded assets are being learn by a .NET utility, and when a .NET meeting is loaded from a uncooked byte array.
