APT32 Adopts Steganography to Drop Backdoors

Delaware, USA – April 3, 2019 – APT32 continue to improve their techniques for conducting cyber espionage campaigns. Researchers suggest that this group is behind the compromise of Toyota and Lexus sales subsidiaries and the likely theft of personal data of more than 3 million customers. The group returned to business after a relatively long lull with new campaigns and new techniques. We previously wrote about using modified exploits for the CVE-2017-11882 vulnerability as attachments in spear phishing attacks. Yesterday, the BlackBerry Cylance team published a report on the new steganography-based loader that drops malware on targeted systems. The APT group developed the steganography algorithm for hiding the encrypted backdoors within PNG files to avoid detection by anti-malware solutions. With this loader, adversaries distribute modifications of Denes and Remy backdoors.

The new loader was first discovered back in September last year, a different version of the downloader was used for each backdoor, but all of them use side-loaded DLLs and AES128 implementation from Crypto ++ library. To make it harder to detect malware and C&C communications, adversaries obfuscates them using high quantities of junk code. Malware uses HTTP/HTTPS channels for communication and is capable of bypassing proxy. According to the researchers, the group puts a lot of efforts to improve their tools, making them more stealthy. You can explore other techniques and tools used by APT32, as well as find content for their detection in the Threat Detection Marketplace: https://tdm.socprime.com/att-ck/