A group of attackers targeting Ukraine-affiliated organizations has been delivering malicious payloads hidden within the pixels of image files. Known as steganography, it is just one of many advanced techniques the group uses to evade detection as part of a malware loader known as IDAT.
Tracked as UAC-0184 by several security firms, as well as the Computer Emergency Response Team of Ukraine (CERT-UA), the group was seen targeting Ukrainian servicemen via phishing emails masquerading as messages from Ukraine’s ââ3rd Separate Assault Brigade and the Israeli Defense Forces (IDF). While most of the recipients of these messages were located in Ukraine, security firm Morphisec has confirmed targets outside of the country as well.
“While the adversary strategically targeted Ukraine-based entities, they apparently sought to expand to additional entities affiliated with Ukraine,” researchers said in a new report. “Morphisec findings brought to the forefront a more specific target — Ukraine entities based in Finland.” Morphisec also observed the new steganography approach in delivering malicious payloads after the initial compromise.
Staged malware injection ends with Remcos trojan
The attacks detected by Morphisec delivered a malware loader known as IDAT or HijackLoader that has been used in the past to deliver a variety of trojans and malware programs including Danabot, SystemBC, and RedLine Stealer. In this case, UAC-0184 used it to deploy a commercial remote access trojan (RAT) program called Remcos.
“Distinguished by its modular architecture, IDAT employs unique features like code injection and execution modules, setting it apart from conventional loaders,” the Morphisec researchers said. “It employs sophisticated techniques such as dynamic loading of Windows API functions, HTTP connectivity tests, process blocklists, and syscalls to evade detection. The infection process of IDAT unfolds in multiple stages, each serving distinct functionalities.”
The infection happens in stages, with the first stage making a call to a remote URL to access a .js (JavaScript) file. The code in this file tells the executable where to look for an encrypted code block inside its own file and the key that needs to be used to decrypt it.
The IDAT configuration used by the attackers also uses an embedded PNG file whose contents are searched to locate and extract the payload using location 0xEA79A5C6 as the starting point. Malware code can be hidden in the pixel data of image and video files without necessarily impacting how these files work or the media information they contain. While this is not a new technique for malware authors, it’s not commonly observed.
“For example, an image with a pixel depth of 24 bit (16.7 million colors) may contain embedded code in the least significant bits (LSB) of each pixel, without changing how the picture looks,” the Morphisec researchers explain. “While the media file may be scanned, since the malicious payload is obfuscated, it can evade signature-based detection, allowing a malware loader to successfully drop the media, extract the malicious payload, and execute it in memory.”
To execute the hidden payload, the IDAT loader employs another technique known as module stomping, where the payload is injected into a legitimate DLL file — in this case one called PLA.dll (Performance Logs and Alerts) — to lower the chances that an endpoint security product will detect it.
The final payload, the Remcos trojan, allows attackers to steal information and surveil a victim’s activity. It also allows the attackers to control an infected computer and since it’s a commercial RAT and not a custom one, it has been used by multiple groups in the past.
The Morphisec and CERT-UA advisories contain file hashes and IP addresses that can serve as indicators of compromise to develop detection signatures.