Ddos 
Palo Alto Networks’ Unit 42 has uncovered a sophisticated obfuscation technique leveraging steganography to hide malware within bitmap resources embedded in legitimate-looking .NET applications. This evolving method is gaining traction in malspam campaigns, notably targeting financial institutions in Türkiye and logistics organizations across Asia.
At the core of this technique lies a deceptively benign 32-bit .NET executable that initiates a multi-stage unpacking chain. This begins by extracting a malicious bitmap resource and ends with detonating a remote access trojan (RAT).
“The use of bitmap resources to conceal malicious payloads is a steganography technique that is prevalent in malspam campaigns,” Unit 42 researchers note.
One sample analyzed impersonated a legitimate application—Windows Forms OCR. It bundled malicious bitmap resources with an innocuous .NET shell. Upon execution, these resources were deobfuscated and dynamically converted into executable DLLs.
The infection chain unfolds over four stages:
- Stage 1 – Bitmap as a Loader: A fake .exe named xgDV.exe loads a bitmap resource (sv) into a DLL (TL.dll). The malware disguises its functions under benign method names like AbyssalScan() and MarineExploration(), mimicking marine research to hinder analysis.
- Stage 2 – DLL to DLL: TL.dll then loads another bitmap resource (rbzR) as Montero.dll. This stage leverages reflection through LateBinding.LateCall() to execute the next step covertly.
- Stage 3 – XOR Obfuscation: Montero.dll, acting as a loader itself, decrypts an internal byte array (uK5APqTdSG) using XOR encryption with subtraction and a hardcoded key opIaZhYa. This reveals the final malware binary: Remington.exe.
Conceptual overview of stage 3 in the malware unpacking process | Image: Unit 42 - Stage 4 – Final Payload: The decrypted binary is an Agent Tesla variant. Configuration data reveals that it uses SMTP for exfiltration:
- Server: hosting2[.]ro.hostsailor[.]com:587
- Sender: packagelog@gtpv[.]online
- Receiver: package@gtpv[.]online
- Password: 7213575aceACE@@
The attackers’ decision to hide executables in bitmap resources rather than traditional packers reflects a shift towards stealth-first payload delivery. Combined with .NET obfuscation tricks—like control flow flattening, stolen bytes, and dynamic code generation—this approach thwarts many conventional security tools.
To combat this, Unit 42 recommends leveraging .NET debugging interfaces such as ICorDebugManagedCallback. Hooking API calls like ResourceManager.GetObject() or Assembly.Load() helps detect suspicious behaviors during runtime.
Donate