Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources

SUMMARY :

This article discusses a new obfuscation technique used by threat actors to conceal malware within bitmap resources embedded in seemingly benign 32-bit .NET applications. The malware employs a multi-stage process to extract, deobfuscate, load, and execute secondary payloads, ultimately leading to the detonation of the final payload. The analysis focuses on malware samples from recent malspam campaigns targeting financial organizations in Turkey and the logistics sector in Asia. The article provides a detailed technical breakdown of the four stages involved in the malware's execution, from the initial payload to the final Agent Tesla variant. It also offers insights into effective analysis approaches and protection measures against this steganography-based threat.

OPENCTI LABELS :

obfuscation,multi-stage,agent tesla,remcos rat,steganography,malspam,.net,xloader,bitmap


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources