CyberWire Daily - Steganography enables sophisticated OceanLotus payloads. [Research Saturday]
Episode Date: May 11, 2019Researchers at Blackberry Cylance have been tracking payload obfuscation techniques employed by OceanLotus (APT32), specifically steganography used to hide code within seemingly benign image files. T...om Bonner is director of threat research at Blackberry Cylance, and he joins us to share their findings. The original research can be found here: https://www.cylance.com/en-us/lp/threat-research-and-intelligence/oceanlotus-steganography-malware-analysis-white-paper-2019.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We were looking into APT32 activity on a sort of campaign that we'd been dealing with internally.
We were already looking at the threat actor.
That's Tom Bonner. He's director of threat research at BlackBerry Cylance.
The research we're discussing today is titled Ocean Lotus Steganography Malware Analysis.
As we came to sort of do a review of all the malware involved,
we spotted a lot of the usual candidates,
things like DNS tunneling backdoors,
Dennis, Roland and Remy,
the other sort of remote access trojans we've written about.
And then came across another loader that,
you know, didn't quite look like anything we'd seen before,
but was clearly, you know,
dropped by the Ocean Lotus APT32 threat actor, used at the same time.
So we started looking into that, pulling it apart, and quickly became apparent that it was trying to decode information from PNG image files.
And luckily, we were able to obtain a copy of those, started pulling that apart and seeing how it was processing the image.
It was loading up a second stage payload. So that had been embedded in the image file,
encrypted, and then it was reading it back out, decrypting it using AES, sort of de-obfuscating
it. There was XOR and several other obfuscation layers on top before sort of finally injecting
it into memory and running it. So yeah, it all came off the back of an IR engagement,
which really
helps to tie these things down to specific threat actors. I just thought it was a very
novel and interesting approach.
Yeah. Before we dig in, what can you tell us about Ocean Lotus?
Not a lot more than perhaps in the public domain right now. I tend not to deal
too much with the attribution side of things. So, of course,
many people are saying they're Vietnamese state-sponsored. I'm happy to go with that.
But that aside, I think they're a very interesting group. They seem very prolific at the minute and
investing very heavily in the bespoke tooling to really establish a foothold within an organization
and maintain a foothold and exfiltrate data. So they're using a good mix of sort of off-the-shelf tools, sort of commodity
or commercial off-the-shelf applications, but they have invested an awful lot into their own
development. So this is sort of really another phase of their bespoke tooling that we've seen
APT32 using. Well, let's walk through it step by step. How does one initially find
themselves having to deal with this problem? Very good question. For a number of reasons,
you might find yourself in that situation. I mean, recently, we've seen Ocean Lotus targeting
the automotive sector, amongst others. Now, typically, to leverage a foothold into an organization,
they still use the same old tricks. Fishing works. It works well. We've seen them using
even sort of phishing attempts for Mac recently to try and hook some targets on the Mac platform.
Once they're in, or they can at least get some sort of a payload on a system, we'll usually see things like a Cobalt Strike beacon being deployed at that point.
Then they can recon systems.
They'll start to pump down some more bespoke malware that they've perhaps written in-house.
Although even at those early stages, it's still often sort of throwaway samples.
So we've started to see this steganography loader quite often at this point.
We've seen the Dennis DNS tunneling Trojan at this point and a few other more basic remote
access Trojans. They'll then start to be deployed and they can look at moving laterally and spreading
from there. And then finally, you know, even more bespoke remote access Trojans will be deployed
and they'll look at data exfiltration or sort of whatever their own game is within that environment.
It's interesting in your report that one of the images that they used was a gentleman thief character from a Japanese manga series, Kaito Kuroba.
I suppose we have to give them style points for that.
Absolutely, yeah, the Kaito kid. Definitely give them them style points for that. Absolutely, yeah, the Kaito kid.
Definitely give them some style points for that one.
I mean, if it had been Naruto or Pokemon,
it might have been a bit more easily identifiable.
I certainly hadn't heard of that particular series,
but we had a few on our APAC team who had.
But no, in a way, that wasn't the perfect image for them
because it was too small to hold the entire payload embedded in individual pixels.
So the second image, which I believe came from an inspirational quotes website, that image was actually a little larger.
So every portion of the payload was able to be encoded and embedded in an RGB pixel value.
able to be encoded and embedded in an RGB pixel value. Whereas for the Kato Kid one,
the image actually overflowed beyond the end of the sort of RGB pixel matrix. So the bulk of the data was actually just depended raw to the file, which I guess isn't entirely their intention when
they came to make this. But yeah, it was just a sort of unfortunate side effect.
Well, let's dig in some to the steganography itself. First of all, can you describe to us what is that?
Steganography in its simplest terms is basically embedding some sort of data into,
in this case, an image for the purpose of hiding it. I mean, that technique has been around for
an awfully long time, perhaps hundreds of years. And when combined with
encryption as well, it can offer a very effective way of obscuring messages or payloads or concealing
whatever information someone might like to conceal. And they went through some effort in this process
to not overtly affect the actual image itself. You wouldn't look at it and know
that there was something wrong. Exactly. So basically, each pixel in an image is assigned
three color values. So you have a byte for the blue, a byte for the green, and a byte for the
red. In addition, your most other sort of image encoding algorithms will use an extra byte for
the alpha channel. That value would sort of represent how algorithms will use an extra byte for the alpha channel that value
would sort of represent how transparent the overall color is but yeah they just focus purely
on the red green and blue bytes and by changing the least significant bits of these basically it
disrupts or not not so much disrupts but it rather minimizes the visual differences between the original image and the image containing the payload.
So, yeah, it's only three bits from the red channel, three bits from the green channel, and two bits from the blue channel that change.
So it will be very marginal shifts in color that should generally be unperceptible to the human eye.
And then they took it to a next step.
They were using some encryption as well?
Oh, lots of encryption.
Yeah.
So the actual payload itself is encrypted using AES, AES-128, with a key hard-coded
in the binary.
Then I believe it de-XORs the payload after it's been read out. And then all it really
relies on disk is the loader DLL and the image. So the image is read into memory. The bits are
sort of pulled out of the image to reconstruct the byte buffer with the encrypted payload.
That's decrypted in memory using AES. Then it's deobfuscated using XOR.
That yields a shellcode buffer, which is RC4 encrypted.
So that's decrypted.
Then there's another launcher DLL.
That contains another payload that's RC4 decrypted and inflated using LZMA.
That contains another backdoor DLL, which then inflates another payload using LZMA.
And finally, we get the C2 module in memory.
So very sort of complex infection injection chain occurring in memory there.
The point of that is to hide it from systems that might be trying to detect it?
Absolutely.
Yeah, it's to bypass defenses, really. So by keeping as little as possible on disk in terms of the payload embedded in the image and the loader DLL,
it really minimizes the chance for security software to flag it.
The loader DLL itself is actually incredibly lightweight.
Apart from sort of decoding the image, allocating some executable memory, copying some shellcode to it and running it,
it doesn't do an awful lot.
And then after that, all of the next stages occur in memory. So again, there's not a lot of options
for security software to sort of hook it and grab it at that point. All of the sort of subsequent
DLL and shellcode layers are then injected into the same address space, which often makes it hard
for security software to pick it up and flag it.
So, yeah, it's really just trying to evade detection.
That's sort of the main purpose of this convoluted sort of infection and loading chain.
And then once it is in memory and that process begins,
then what's going on there in terms of the back door and the other things it's trying to do?
Really anything.
So initially, when we discovered this at the back end of 2018,
we'd seen them loading a couple of payloads that related to DNS tunneling backdoor that APT32 are known to have developed and used heavily.
But subsequently, since the paper's been published and pushed through marketing,
we've actually seen them quite recently using the same style loaders, the exact same images described in the paper, but delivering other
payloads as well. So things like Cobalt Strike beacons and other tools from the APT32 arsenal.
Now, it's interesting because you were saying that part of this was intentionally lightweight,
but then later in the research, you discuss how elements of this have a lot of junk code
included in them, which makes the files larger, but harder to reverse engineer.
Absolutely.
So that junk code is occurring within the payload that's injected into memory.
So it's not really present in the the on disk loaded dll and yeah it's probably
a fairly crude garbage opcode generation routine yeah it will modify a lot of registers bit of
stack based variables but all neatly wrapped around two instructions so one that pushes the
flags to the stack and one that pops them them off back into
the flags register and thankfully most of the garbage op code is is neatly housed between those
two instructions so it's not too trivial to ignore that code read around it and get an overview of
what's happening it does change some of the logic flow from the basic compiled application.
But yeah, it's largely just designed to annoy analysts, really. And as soon as you can find a nice way of cheating it, it's not too problematic.
So in your estimation, how would you rate the sophistication of what's going on here?
I'd say it's pretty highly sophisticated.
Absolutely.
As with everything that the Ocean Lotus Group develops, it's pretty highly sophisticated, absolutely. As with everything
that the Ocean Lotus Group develops, it's all to a high standard. It's clearly been developed well,
tested well. The people who are writing it definitely have a very good understanding of
not just what they're trying to accomplish, but how the security industry works, how we're going
after them, how we're trying to track and monitor them. So they're constantly evolving.
It's a cat and mouse game every day. But yeah, it's definitely been well-funded and well-developed, as with all of the other tools we've seen from Ocean Lotus.
And what are your recommendations for folks to best protect themselves against this?
Well, from a purely shameless standpoint, I would say install silence protect and optics. But no,
just more general advice for
people who might be experiencing this or problems of this is that things like EDR software, so
endpoint detect and response, it can be very, very powerful in helping to track these things down
at the end of the day. I've often tried to take the standpoint when dealing with these types of attacks that if somebody wants to target you and they want to get in, they probably will.
And after that, perhaps after your first line of defenses have been breached, then having software such as Optix, EDR software that is able to monitor and assess the behavior of threats on a system and allow you to easily query that.
Yeah, perform analysis based on functionality. It's really going to help out at the end of the day.
In terms of the steganography itself, are there tools available that are looking for these sorts
of things? Can you protect yourself from that specific type of attack?
Not really. So on the first part as to whether there are tools to detect it,
there are some good analysis tools. I would say they are more meant for sort of backend processing
for reverse engineers and analysts to use in their sort of daily workflows. They can help to spot
data that's been embedded or encoded in images but only certain encoding algorithms so
you know this is ways of stuffing the the bits and bytes into rgb color values now what we've
seen from some of the commercial off-the-shelf tools is that they will use a certain subset of
algorithms for embedding this data and the analysis tools will then sort of
react to that and come and add corresponding decoders what's happened in this case with the
ocean lotus steganography is that they seem to have been aware of these tools up front and they
have crafted the algorithm in such a way that there were very few differences when compared
with the original image but they've also been very careful not to trigger or make these tools trip up
and detect their image and automatically decode and pull out payloads.
So we've written a little script as part of the white paper that will help people do that,
but I'm sure it would be very trivial for them to alter the algorithm
in a way that would break MyScript
or break other analysis tools and sort of render it obsolete.
So from that perspective, there aren't too many bits of security software or monitoring
software that are really going to help out here.
And of course, everything is AES encrypted at the end of the day.
So even if we could pull the data out, it's still an encrypted blob, and we'd have no idea how to handle it or process it without the original key, which we probably wouldn't have at that point.
Yeah, so the game of cat and mouse continues.
It does, day in, day out.
Been doing it for 18 years now.
Our thanks to Tom Bonner from BlackBerry Silance for joining us.
The research is titled Ocean Lotus Steganography Malware Analysis.
We'll have a link in the show notes.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday
is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.