Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Steganography. Show all posts

Necro Trojan Uses Steganography to Attack 11 Million Devices

Necro Trojan Uses Steganography to Attack 11 Million Devices

Necro Trojan, which has recently made headlines for its innovative use of steganography has compromised over 11 million Android devices. This blog delves into the intricacies of this malware, how it works, and its impact on cybersecurity.

Understanding the Necro Trojan

The Necro Trojan, also known as Necro Python, is a versatile and highly adaptive piece of malware. Its primary strength lies in its modular architecture, allowing it to perform various malicious activities. 

These include displaying invisible ads, executing arbitrary code, and subscribing users to premium services without their consent. However, what sets the Necro Trojan apart is its use of steganography—a technique that involves hiding malicious code within seemingly innocuous files, such as images.

The Role of Steganography

Steganography is an ancient practice where hidden messages were concealed within other forms of communication. This technique has been repurposed in the digital age for more scandalous ends. 

The Necro Trojan is a complex, multi-stage Android malware that has managed to infiltrate both Google Play and unofficial app sources, impacting over 11 million devices. It targets popular apps such as Wuta Camera, Max Browser, and modified versions of Spotify, WhatsApp, and Minecraft.

Necro uses advanced evasion techniques, including obfuscation with OLLVM, steganography to conceal payloads in PNG images, and a modular architecture for versatility. The infection process begins with a loader that connects to C2 servers, often utilizing Firebase Remote Config.

The Trojan’s plugins (NProxy, island, web, Happy SDK, Cube SDK, and Tap) perform various tasks, from creating tunnels through victim devices to manipulating ad interactions. Its self-updating capability and use of reflection to integrate privileged WebView instances within processes help it bypass security measures.

How Necro Trojan Impacts Android Devices

The scale of the Necro Trojan’s impact is staggering. With over 11 million Android devices compromised, the malware has demonstrated its ability to spread rapidly and efficiently. 

The consequences for affected users can be severe, ranging from unauthorized financial transactions to significant data breaches. Moreover, the Trojan’s ability to execute arbitrary code means that it can be used to deploy additional malware, further compounding the threat.

New SteganoAmor Attacks Employ Steganography to Target Organizations Globally

 


An exposé has brought to light an intricate operation engineered by the TA558 hacking group, known for its previous focus on the hospitality and tourism sectors. This new offensive, dubbed "SteganoAmor," employs steganography, a technique of concealing malicious code within seemingly harmless image files, to infiltrate targeted systems worldwide. Positive Technologies, the cybersecurity firm behind the discovery, has identified over 320 instances of this attack affecting various organisations across different sectors and countries.


How SteganoAmor Attacks Work

SteganoAmor attacks start with sneaky emails that look harmless but contain files like Excel or Word documents. These files take advantage of a weakness in Microsoft Office called CVE-2017-11882, which was fixed in 2017. When someone opens these files, they unknowingly download a Visual Basic Script (VBS) from a source that seems real. This script then fetches an image file (JPG) that hides a secret payload encoded in base64 format.


Diverse Malware Payloads

The hidden payload serves as a gateway to various malware families, each with distinct functionalities:

1. AgentTesla: A spyware capable of keylogging, credential theft, and capturing screenshots.

2. FormBook: An infostealer malware adept at harvesting credentials, monitoring keystrokes, and executing downloaded files.

3. Remcos: A remote access tool enabling attackers to manage compromised machines remotely, including activating webcams and microphones.

4. LokiBot: Another infostealer focusing on extracting sensitive information from commonly used applications.

5. Guloader: It serves as a downloader in cyberattacks, distributing secondary payloads to evade antivirus detection.

6. Snake Keylogger: Snake Keylogger is malware designed to steal data by logging keystrokes, capturing screenshots, and harvesting credentials from web browsers.

7. XWorm : It functions as a Remote Access Trojan (RAT), granting attackers remote control over compromised computers for executing commands and accessing sensitive information.


To evade detection, the final payloads and malicious scripts are often stored in reputable cloud services like Google Drive. Additionally, stolen data is transmitted to compromised FTP servers, masquerading as normal traffic.


Protective Measures

Despite the complexity of the attack, safeguarding against SteganoAmor is relatively straightforward. Updating Microsoft Office to the latest version eliminates the vulnerability exploited by the attackers, rendering their tactics ineffective.


Global Impact

While the primary targets seem concentrated in Latin America, the reach of SteganoAmor extends worldwide, posing a significant threat to organisations globally.


As these threats are taking new shape and form, staying aware and implementing timely updates remain crucial defences against cyber threats of any capacity. 


Worok Cyber Espionage Group Employs Malicious PNG Images to Propagate Malware

 

Cybersecurity researchers have unearthed new malware threats manufactured to exploit steganography methodologies. Worok seems to be a complex cyber-espionage operation whose individual stages are still unknown. The campaign's final stage, however, has been identified by two cybersecurity firms.

Worok employs multi-stage malware created to siphon data and target high-profile victims, using steganography ways to conceal parts of the payloads in a plain PNG image file. The new malware was first uncovered by ESET in September. 

The researchers described Worok as a new cyber spying group that employs undocumented tools, including a steganography methodology designed to exfiltrate a malicious payload from a plain PNG image file. 

The cyber espionage group targeted high-profile victims like government agencies, particularly in the Middle East, Southeast Asia, and South Africa. ESET's knowledge of the trouble's attack chain was limited, but the latest report from Avast has provided fresh details regarding this malicious campaign.

According to the Czech security firm, Worok employs a complex multistage design to conceal its activities. The hackers employ sideloading to execute the CLRLoader malware which, in turn, implements the PNGLoader DLL, capable of reading obfuscated code masking in PNG files. 

That code translates to DropBoxControl, a custom .NET C# infostealer that abuses Dropbox file hosting for communication and data theft. The info stealer can support multiple commands, including running cmd /c, launching an executable, downloading and uploading data, deleting and renaming files, capturing file information, spy network communications, and extracting metadata. 

While researchers are still trying to put all the pieces together, the latest report from Avast confirms that Worok is a custom operation manufactured to siphon data, spy, and target high- victims in specific parts of the globe. 

“The key finding of this research is the interception of the PNG files, as predicted by ESET. The stenographically embedded C# payload (DropBoxControl) confirms Worok as the cyberespionage group. They steal data via the DropBox account registered on active Google emails,” Researchers at AVAST explained. “The prevalence of Worok’s tools in the wild is low, so it can indicate that the toolset is an APT project focusing on high-profile entities in private and public sectors in Asia, Africa, and North America.”

Cybersecurity Researchers Discovered Attack Which Uses WAV Audio Files to Hide Malicious Code


We are living in an age where user security being breached is one of the most familiar headlines we come across in the cybersecurity sphere, attackers have continued to discover unprecedented ways to compromise user data and have strengthened the older ones.

A widely used technique which allows hackers to break into computers and extract user data without getting noticed is resurfacing again, this time making the detention even more complex by embedding the malware inside audio files resembling the regular WAV format audio files on the computer, according to the cybersecurity researchers at Cylance, a California based software company that develops antivirus programs and other software to prevent malware.

Hackers employed a method known as ‘Steganography’ to hide and deliver malware, it involves hiding a file, video or message with the help of some other file. Researchers at Cylance discovered the malicious code embedded inside the WAV audio files with each file containing a ‘loader component’ which decodes and executes the malware. The threat actors carry out these malicious activities using a crypto mining application known as XMRig Monero CPU Miner.

Although, hackers have used viruses and spyware to infect files and break into computers previously, this is the first time ever where a file has been explicitly used to deliver a crypto mining software into a system. Cybercriminals are always looking to undo the measures taken by security officials. It is evident from how they are now employing even sophisticated strategies as earlier, the only way to deliver crypto mining malware was through malicious scripts on browsers, websites or software programs that came with malware.

Referencing from the statements given by Josh Lemos, VP of Research and Intelligence at BlackBerry Cylance, to Help Net Security.  “One WAV file contained music with no indication of distortion or corruption and the others contained white noise. One of the WAV files contained Meterpreter to establish a reverse-shell to have remote access into the infected machine. The other WAV files contain the XMRig Monero crypto-miner,”

“Attackers are creative in their approach to executing code, including the use of multiple files of different file formats. We discovered several loaders in the wild that extract and execute malicious code from WAV audio files. Analysis revealed that the malware authors used a combination of steganography and other encoding techniques to deobfuscate and execute code” the researchers at Cylance pointed out.

“The similarities between these methods and known threat actor TTPs may indicate an association or willingness to emulate adversary activity, perhaps to avoid direct attribution,” the researchers further remarked.

In order to stay guarded, users are advised to have proper anti-virus tools installed on their computers and stay alert while downloading any kind of file from the internet.

New Steganography method TranSteg hides Data in VoIP(IP Telephony)

Researchers from Warsaw University of Technology, Institute of Telecommunications find a new Steganography method that helps to hide the Data in VoIP(IP Telephony).  The method is named as "TranSteg((Transcoding Steganography)". 

Voice over IP (VoIP), or IP telephony, is one of the services of the IP world that is changing the entire telecommunication’s landscape. It is a real-time service, which enables users to make phone calls through data networks that use an IP protocol.
Steganography encompasses various information hiding techniques, whose aim is to embed a secret message(steganogram) into a carrier (image,audio,video). Steganographic methods are aimed at hiding of the very existence of the communication, therefore any third-party observers should remain unaware of the presence of the steganographic exchange.


In TranSteg it is the overt data that is compressed to make space for the steganogram. The main innovation of TranSteg is to, for a chosen voice stream, find a codec that will result in a similar voice quality but smaller voice payload size than the originally selected. Then, the voice stream is transcoded. At this step the original voice payload size is intentionally unaltered and the change of the codec is not indicated. Instead, after placing the transcoded voice payload, the remaining free space is filled with hidden data. TranSteg proof of concept implementation was designed and developed.

TranSteg detection is difficult to perform when performing inspection in a single network localisation.