In a recent cybersecurity incident, a group of attackers focused on Ukraine-affiliated organizations has been employing a sophisticated technique known as steganography to conceal malicious payloads within image files. This method, known as UAC-0184, is just one of the advanced tactics used by the group as part of a malware loader called IDAT.
Security firms, along with the Computer Emergency Response Team of Ukraine (CERT-UA), have been monitoring the activities of this group, which has been targeting Ukrainian servicemen through phishing emails disguised as messages from Ukraine’s 3rd Separate Assault Brigade and the Israeli Defense Forces (IDF). While the majority of the recipients of these deceptive emails were located in Ukraine, Morphisec confirmed that entities outside of the country have also been affected.
The researchers at Morphisec uncovered a new trend in the group’s attack methods, noting that while they initially focused on Ukraine-based entities, they were also targeting additional organizations affiliated with Ukraine. Specifically, Morphisec identified Ukraine entities based in Finland as potential targets. Additionally, the use of steganography to deliver malicious payloads post-compromise was also observed by the researchers.
The attacks detected by Morphisec involved the deployment of a malware loader known as IDAT or HijackLoader, which has previously been utilized to distribute various trojans and malware programs such as Danabot, SystemBC, and RedLine Stealer. In this instance, the attackers utilized IDAT to install a commercial remote access trojan (RAT) known as Remcos.
The unique characteristics of IDAT, including its modular architecture and advanced features like code injection, make it a sophisticated tool for evading detection. By employing techniques such as dynamic loading of Windows API functions, HTTP connectivity tests, process blocklists, and syscalls, the attackers were able to execute the infection process in multiple stages, each serving a specific purpose.
The initial stage of the infection involves a call to a remote URL to access a JavaScript file, which contains instructions on where to locate an encrypted code block within the executable file and the decryption key to be used. The configuration of IDAT utilized by the attackers also involves the use of an embedded PNG file, with the payload hidden within the pixel data of the image file.
While steganography is not a new concept in the realm of malware, its use in concealing malicious code within image files without disrupting their functionality or visual appearance is not commonly observed. This innovative approach by the attackers highlights the need for organizations to remain vigilant against evolving cybersecurity threats and to implement robust security measures to mitigate the risk of falling victim to such attacks.