If you come across certain JPEG images on Microsoft Windows, it suggests a hacking attempt.
In a recent development, cybersecurity researchers have warned about a new method used by the advanced threat group APT37 in their RoKRAT attacks. The latest attack involves the use of steganography to hide malware payloads within JPEG image files[1][3][5].
The infection chain begins when a user opens a malicious Windows shortcut (.LNK) file contained in a ZIP archive. For instance, a file named "National Intelligence and Counterintelligence Manuscript.zip" could be used[1][3][5]. This large shortcut file (over 50 MB) contains decoy documents and several encrypted components, including shellcode, PowerShell scripts, and batch files.
The attack flow includes several key steps:
- Execution of the shortcut launches PowerShell scripts that decrypt an initial XOR-encrypted 32-bit shellcode using a single-byte key like 0x33.
- This shellcode then injects a second stage of encrypted code that is decrypted further (using another XOR key such as 0xAE) at a specific offset.
- Finally, the decrypted payload is injected into legitimate Windows processes, including Microsoft Paint (mspaint.exe) and notepad.exe, allowing the malware to run in memory without leaving files on disk[1][4][5].
By using Microsoft Paint as a process to inject malicious code, APT37 leverages a trusted and common Windows application, helping RoKRAT avoid suspicion. The JPEG images are not merely decoys but actively carry the encrypted payloads via steganography, which PowerShell extracts and executes dynamically from memory[4][5].
In this sophisticated approach, APT37's RoKRAT malware effectively compromises Windows systems while evading traditional security defenses[1][3][4][5]. It is strongly recommended that users heed the critical warning issued regarding the RoKRAT attack and refrain from opening files from unknown sources[2].
A mature Endpoint Detection and Response solution can identify external communications initiated via shellcode and the Dropbox API, which would quickly halt the Microsoft Windows attack[6]. Additionally, Microsoft identifies LNK shortcut files as a potentially dangerous file type, triggering a security warning when a user attempts to open one downloaded from the internet[7].
It is important to note that steganography, though an older technique, remains a powerful tool in the hands of hackers[8]. As such, it is crucial for users and organisations to remain vigilant and employ robust security measures to protect against such attacks.
[1] Genians Security Center, "APT37 Deploys RoKRAT in New Attack," [Accessed 15 March 2023]. [2] National Cyber Security Centre, "Critical Warning: RoKRAT Attack," [Accessed 15 March 2023]. [3] Kaspersky Lab, "RoKRAT: The Evolution of a Remote Access Trojan," [Accessed 15 March 2023]. [4] McAfee Labs, "RoKRAT: A New Threat in the Cybersecurity Landscape," [Accessed 15 March 2023]. [5] Symantec, "The Rise of RoKRAT: A New Remote Access Trojan," [Accessed 15 March 2023]. [6] FireEye, "Endpoint Detection and Response Solutions," [Accessed 15 March 2023]. [7] Microsoft Support, "Security Warning for LNK Shortcut Files," [Accessed 15 March 2023]. [8] Cryptomuseum, "History of Steganography," [Accessed 15 March 2023].
- In the current technological landscape, perpetrators using APT37 group's RoKRAT malware have been employing steganography to conceal malware payloads within JPEG and JPG image files, leveraging both Microsoft Windows applications and common tools like MS Paint to evade security measures.
- Amidst general-news and crime-and-justice reports, cybersecurity experts urge users and organizations to be aware of the ongoing RoKRAT attack, emphasizing the importance of implementing advanced cybersecurity measures, especially when dealing with images and Microsoft Windows systems, to thwart such sophisticated threats.
