Steganography or encryption in bankers?

While looking over some potentially malicious links from Brazil, I came across an interesting group of files. They were of varying sizes but had similar structures.

First I thought this was some type of steganography. The files has a jpeg extension, but were in fact bmp files in structure.

It was evident that they contained encrypted malware and some additional data. After further analysis, I discovered that this was a block cipher. As far as I know, this is the first time it has been used by malware writers anywhere in Latin America. This is what the malicious program looked like after decryption:

By using this technique, the virus creators kill several birds with one stone. Firstly, it may cause automatic malware analysis systems to function incorrectly: the file would be downloaded and analyzed by the antivirus program, and given the all-clear; with time the link will be exempted from checks altogether. Secondly, the
administrators of the sites where such encrypted malicious files are hosted won’t be able to identify them as malicious and will leave them as they are. Thirdly, some malware researchers may not have the time or necessary expertise to deal with them. All of this plays into the hands of the cybercriminals.

We have observed that the virus writers behind this specific attack publish new mirrors with the files and new malware every 2 days or so. So far, the encryption algorithm has been the same, but I’m sure it will be changed after this post is published. This is the decryption script for the current status:

Steganography or encryption in bankers?

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox