XwormRAT Being Distributed Using Steganography
AhnLab SEcurity intelligence Center (ASEC) collects information on malware distributed through phishing emails by using its own “email honeypot system.” Based on this information, ASEC publishes the “Phishing Email Trend Report” and “Infostealer Trend Report” on the ASEC Blog every month. Recently, XwormRAT has been confirmed to be distributed using steganography.
This malware starts with VBScript and JavaScript. It inserts malicious scripts into legitimate code, making it difficult for users to notice its malicious behavior. The script (VBScript or JavaScript) executed for the first time adds an embedded PowerShell script to call and download the final malware. This malware has been previously covered on the ASEC Blog. It is still being distributed in modified versions.
Figure 1. Phishing email body
Figure 2. Extrract of malicious script
The malicious PowerShell script included in the file contains Base64-encoded data and dummy characters. During execution, the script uses the Replace() function to remove the dummy characters before being decoded and executed. When the PowerShell script is executed, it operates by downloading and executing additional malware from an external server. The downloaded file includes a JPG image file containing a .NET loader and the final malware that will be executed.
The downloaded JPG image file, which has the steganography technique applied to it, displays the screen shown in Figure 3 below. Users may simply think that the image has been opened. However, the .NET loader is secretly extracted and executed from this image file.
Figure 3. Image file with steganography technique applied
As described in the aforementioned blog post, the previously distributed type involved decoding the encoding data between the “<<BASE64_START>>” and “<<BASE64_END>>” strings inserted at the end of a JPG file (as shown in the left image of Figure 4) to extract the .NET loader, which is then used to execute the malware. On the other hand, the current variant being distributed involves searching for the bitmap image (0x42, 0x4d, 0x46, 0xC0 …) inserted at the end of a JPG image file (as shown in the right image of Figure 4) and then extracting and decoding the R, G, and B values from the pixel data of the bitmap. The subsequent process of executing the malware remains the same as the previous method.
Figure 4. (Left) Script of the past version (Right) Script of the current version being distributed
Figure 5. XwormRAT configuration that is executed
The steganography technique introduced in this post can be used to distribute various malware, not just XwormRAT. A modified version of the technique has been continuously distributed recently, so users need to be extra cautious when opening emails from unknown sources.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
