A notorious hacker group known as APT-C-20, alternatively called APT28 or Fancy Bear, has devised a method to bypass security measures by embedding harmful code within ordinary image files.
This group conceals shellcode within PNG images to activate a fileless backdoor coded in C#. This technique allows attackers to avoid leaving detectable files on the system, making it challenging for security tools to identify the breach.
Stealthy Attack Techniques
The initial phase of the attack involves sending a Word document disguised as a file related to an Eastern European government’s defense sector via email. Victims who enable macros unknowingly trigger the deployment of a concealed DLL and an altered PNG image, which then exploit a Windows feature to execute code stealthily.
The DLL extracts hidden shellcode from the image and executes it directly in memory, deploying a remote access tool that communicates with attackers through cloud storage channels.
APT-C-20’s Sophisticated Deception
Security analysts from 360 have tracked this campaign, noting its similarity to APT-C-20’s past operations. Their findings highlight the group’s use of multiple layers of deception, including encrypted macros, covert registry modifications, and image-based steganography to maintain the attack’s invisibility.
This campaign poses a substantial threat, particularly to government and diplomatic organizations due to its convincing disguise. The fileless nature of the attack means traditional antivirus software often fails to detect it, necessitating behavior-based detection methods.
Implications for Cybersecurity
The attack commences with a file named readme.docm, which appears meaningless until macros are enabled, revealing a decoy related to an Eastern European defense ministry. Meanwhile, the macro executes a series of actions, including dropping files and setting up system persistence.
The malware reaches out to dropbox.com as part of its reconnaissance, then duplicates itself into temporary directories, writing files such as dnxstore.dll and EdgeLogo.png to designated locations. Through COM hijacking, Windows Explorer is manipulated to load malicious code.
Once activated, the shellcode extracts details from the image and runs the backdoor, a C# program called Publish.exe, entirely in memory. The backdoor collects system information, encrypts it, and communicates using Filen.io, ensuring resilience through multiple backup gateways.
Researchers emphasize the importance of scrutinizing unexpected macro-enabled documents and monitoring unusual system behaviors to detect such intrusions early. By doing so, organizations can better protect sensitive data from sophisticated cyber threats like those posed by APT-C-20.
