A newly discovered malware campaign leverages steganography to hide GandCrab ransomware in an apparently innocent Mario image.
According to Matthew Rowan, a researcher at Bromium, threat actors use steganography to hide the malicious code and avoid AV detection.
The steganography is used in conjunction with heavily obfuscated Microsoft PowerShell commands that attackers have hidden within the color channels of a picture of Mario, in a particularly manipulating
blue and green pixels.
“A manual re-shuffle to de-obfuscate the code and you can see more clearly the bitwise operation on the blue and green pixels. Since only the lower 4 bits of blue and green have been used, this won’t make a big difference to the image when looked at by a human, but it is quite trivial to hide some code within.”
This technique makes the threat hard to be detected by firewall and other defence systems.
Experts pointed out that attackers are targeting users in Italy, but the campaign will likely extend to other countries worldwide.
“The manually de-obfuscated PowerShell reveals the final
Experts were able to download the samples from the address in the de-obfuscated Powershell, including from an Italy-based VPN, and discovered several samples of the Gandcrab ransomware.
Additional details, including IoCs are reported in the analysis published by the security firm Bromium
(SecurityAffairs – steganography, hacking)
The post GandCrab ransomware campaign targets Italy using steganography appeared first on Security Affairs.