Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
This article explores a new obfuscation technique used by threat actors to conceal malware within bitmap resources embedded in benign 32-bit .NET applications. The malware executes through a multi-stage process of extracting, deobfuscating, loading, and executing secondary payloads. The analysis focuses on a sample from recent malspam campaigns targeting financial organizations in Turkey and logistics sectors in Asia. The malware uses steganography to hide its payloads, making it challenging to detect. The article details the technical analysis of each stage, from the initial payload to the final execution of malware families like Agent Tesla, XLoader, and Remcos RAT. It also provides guidance on how to overcome this obfuscation technique using debugging methods.
OPENCTI LABELS :
obfuscation,remcos rat,steganography,malspam,.net,xloader,bitmap
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources