Hackers Use Steganography Methods To Hide Malware In PNG File

Threat actors employ steganography to hide malicious payloads in benign files such as pictures or documents. 

By using this secret tool, threat actors are able to evade security systems and detect and assist in their undercover communications or data exports. 


These things together make the cyber-attacks of the threat actors more operational and sophisticated.

Cybersecurity analysts at Morphisec Threat Labs recently discovered that hackers actively use the Steganography methods to hide malware in PNG files.

You can analyze a PNG malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Steganography Malware PNG File

Multiple attack indicators reveal threat actor UAC-0184 delivering Remcos RAT to a Ukrainian entity in Finland, and in this campaign, the IDAT loader is key. 

Targeting Ukraine-based entities, the threat actor aims to expand to affiliated entities. However, Morphisec identifies a specific focus on Ukraine entities in Finland.

The IDAT loader attack utilized steganography to hide malicious code in images or videos. Stego techniques, like embedding code in the least significant bits, evade detection by obfuscating the payload. 

Even with a visibly distorted image, the obfuscation allows successful defense evasion, which enables malware execution in memory. 

Understanding the role of steganography is crucial for effective defense against such tactics.

Remcos is a commercial RAT that enables attackers to control infected computers, steal data, and monitor activities effortlessly.

As per the ANY.RUN report, Remcos has been identified as the most commonly uploaded threat among malware samples.

Morphisec highlighted the Remcos as a threat by detecting it in Guloader and the Babadeda crypter.

It has prevented numerous attacks, with a notable instance occurring in early January 2024. Early detection crucially aided the containment and response efforts.

The UA Cert’s alert validated the threat days later as Morphisec’s research identified shared artifacts and variances in subsequent attacks, which showcased its proactive stance.

Morphisec’s mechanism (Source – Morphisec)

A phishing email posing as an IDF consultant reveals the deceptive recruitment tactics of the 3rd Separate Assault Brigade and IDF.

Phishing email (Source – Morphisec)

The IDAT loader delivers the Remcos RAT, and all the key stages of the attacks are shown in the below payload delivery flow chart:-

Payload Delivery Flow Chart (Source – Morphisec)

IDAT is an advanced loader that deploys Danabot, SystemBC, and RedLine Stealer, which showcase the modular architecture with unique features. 

Its sophisticated techniques include dynamic loading, HTTP connectivity tests, and syscalls for evasion. The infection unfolds in stages by involving module tables and instrumentation shellcode. 

The loader adapts injection or execution based on file type and config flags by embedding the modules within the executable. 

Besides this, the code connects and initiates the downloads from ‘hxxps://aveclagare[.]org/wp-content/plugins/wpstream/public/js/youtube.min.js’ by using the distinctive user-agent ‘racon’ for campaign delivery and connectivity checks.

IDAT’s modular operation uses steganography with a PNG to extract the payload. The embedded value 0xEA79A5C6 marks the starting point. 

The primary goal is to load the ‘PLA.dll’ and employ ‘Module Stomping’ by injecting the next stage code to evade security solutions.


IoCs (Source – Morphisec)

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.