Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. In this report, we focus on how we uncover the latest obfuscation / masquerading techniques that involve hidden payload in the image with bitmap extension.
Delivering payloads through Images – Use cases
Because the BMP file format is an uncompressed graphics file format, this gives malicious actors the possibilities of injecting various payload and script into it.
The study of the structure of a PNG image also revealed possibilities of encoding web shells, XSS payloads into the PNG IDAT chunks.
In 2019, polyglot images were used to hide malvertising attacks by some hacking group. Of recent, the Lazarus APT group is known to employ new techniques and custom toolsets in its operations to increase the effectiveness of its attacks, and in one of their new campaign, they resorted to an interesting technique of BMP files embedded with malicious HTA objects to drop its loader.
A report from Cisco Talos new research also revealed that cybercriminals are now deploying remote access Trojans (RATs) under the guise of seemingly innocuous images hosted on infected websites, once again highlighting how threat actors quickly change tactics when their attack methods are discovered and exposed publicly.