Hackers use coded camouflage methods, hiding malware in PNG photo files

Hackers were found using coded camouflage methods, hiding malware codes inside PNG image files to release malware.

Hiding malware or payload can be done in a variety of ways, from complex hiding through redirecting, URLs, reliable use of digital archives or Repo. And the most likely way to be up and coming is to hide the code in harmless files, such as image files, etc.

According to a report by the website, Cyber Security News has mentioned the detection of an NPM package, a JavaScript package that hides malware for remote access to the victim's system, or a RAT (Remote Access Trojan). NET is hiding payload code in a non-toxic PNG image file with a Steganography method. The package is impersonated as a buildrunner-dev package, named as buildrunner and build-runner. These two projects were long abandoned by the developer, but the name is similar enough to allow those searching for these two tools to misdownload.

The malware mechanism begins after the victim installs the tool from the package via npm install. The Hook that runs after installation like Postinstall Hook runs a script from the init.js file to download a Btach script file called packageloader.bat from Codeberg, a reliable Repo service. This file silently copies itself into the Windows Startup folder, which creates persistence on the system, or Persistence, guaranteeing that the malware will rework every time it is turned on or rebooted. New

Such a Batch file, in addition to having the ability to create Persistence, has also confused up to seven layers of Obfuscation with up to 1,653 lines of code, but only 21 lines of functional code. There are also disorganized comments, useless junk variables, fake Base64 string values to disrupt Static Analysis and human verification.

And before running the Payload code, the malware will check if it has the Admin or Administrator. If it does not find it, it will use fodhelper.exe to upgrade its permissions while evading the UAC Account Control system at one time, without UAC showing the user the Prompt to choose whether or not to grant it. After that, the malware will run the PowerShell code through conhost.exe to determine if there is an anti-virus or cyber protection tool installed on the system. At this point, there will be a method. That led to the installation of the last malware file in many ways as the analysis detected, which the source did not provide details.

The last payload is a RAT malware payload called Pulsar that, after installation, inserts itself into the Windows General Process, making it difficult to detect. This payload code is hidden inside the RGB (Red Green Blue) Pixel of two PNG image files deposited on the ImgBB website.

"6b8owksyv28w.png" (41 × 41 px, 2.3 KB) internally contains PowerShell-style code that can emanate AMSI-style protection (Antimalware Scan Interface).

"0zt4quciwxs2.png" (141 × 141 px, 67 KB) internally contains the code of the .NET extension malware (Loader) for use in releasing the real payload.

The two runs lead to downloading and decoding the code from another image file deposited at hxxps: / / i.ibb [.] co / tpyTL2Zg / s9rugowxbq8i.png. This third file acts as a control server (C2 or Command and Control) that will ultimately release Pulsar malware into the victim's machine.

# Trending # Lemon 8 Howtoo # lemon 8 diary # png # freedomhack