Hackers Exploit Steganographic Images to Evade Detection and Deploy Malware
In a recent cybersecurity incident, malicious actors have employed steganography—a technique of embedding hidden data within non-suspicious files—to conceal .NET malware inside PNG images. This method effectively bypasses traditional antivirus defenses, facilitating the deployment of Remote Access Trojans (RATs) on Windows systems.
The Malicious NPM Package:
The attack centers around a deceptive NPM package named `buildrunner-dev`, designed to mimic legitimate packages like `buildrunner` and `build-runner`. These original packages had been abandoned, making it plausible for developers to mistake the malicious version as a maintained update. Upon installation via `npm install`, the package’s post-installation script (`init.js`) automatically executes, initiating a sequence that downloads and runs a batch file (`packageloader.bat`) from a Codeberg repository. This batch file then places itself in the Windows Startup folder, ensuring it runs at every system startup.
Obfuscation and Evasion Techniques:
Security analysts from Veracode uncovered the attack chain after navigating through seven layers of obfuscation within the batch file, which spanned 1,653 lines but contained only about 21 lines of functional code. The rest comprised misleading comments, fake base64 strings, and extraneous variables intended to confuse both static analysis tools and human reviewers. Before executing its payload, the malware checks for administrative privileges and elevates its rights using the `fodhelper.exe` User Account Control (UAC) bypass technique, avoiding any visible prompts. It then initiates a hidden PowerShell session via `conhost.exe`, assesses the system for installed antivirus software, and proceeds with the infection based on the findings. The final payload is `Pulsar`, an open-source RAT, which is injected into a legitimate Windows process through a method known as process hollowing.
Steganographic Concealment:
The attackers utilized two PNG images hosted on ImgBB to carry the concealed malware:
– `6b8owksyv28w.png` (41×41 pixels, 2.3 KB) contained a 4,903-byte AMSI (Antimalware Scan Interface) bypass PowerShell script.
– `0zt4quciwxs2.png` (141×141 pixels, 67 KB) held a compressed 136 KB .NET loader.
The malicious code was embedded directly into the RGB pixel values of each image, rendering it as random visual noise to scanners. A third steganographic PNG (`s9rugowxbq8i.png`) served as the live command-and-control (C2) channel, delivering the final encrypted `Pulsar RAT` payload on demand.
Implications and Recommendations:
This incident underscores the evolving sophistication of cyber threats, particularly the use of steganography to evade detection. To mitigate such risks, security teams should:
– Audit NPM Packages: Thoroughly review packages before installation to ensure their legitimacy.
– Disable Automatic Script Execution: Prevent automatic execution of post-installation scripts to reduce the risk of unintended code running.
– Monitor PowerShell Activity: Keep a close watch on unusual PowerShell behavior, which can indicate malicious activity.
– Detect UAC Bypass Attempts: Monitor for registry changes associated with UAC bypass techniques.
– Inspect Outbound Connections: Be vigilant for unexpected connections to free image hosting services, which may signal steganographic attacks.
By implementing these measures, organizations can enhance their defenses against sophisticated malware delivery methods that exploit steganography.
