Documentos de Académico
Documentos de Profesional
Documentos de Cultura
estegomalware y TTPs
Tendencias en 2021
Dr. Alfonso Muñoz - Criptored
@mindcrypt – alfonso@criptored.com
• Doctor Ingeniero Telecomunicación (UPM)
• 18 años de “carretera”…
Perfil:
https://en.wikipedia.org/wiki/Illegals_Program#Agents_apprehended_by_FBI_o
n_June_27,_2010
https://www.youtube.com/watch?v=hGhufb2C_7Y
https://www.amazon.es/Estegomalware-antivirus-
perimetral-esteganografía-ciberamenazas/dp/B09F1J2NTG
https://www.proofpoint.com/es/resources/threat-
reports/human-factor
2 - Ocultar la comunicación con el C&C: VinSelf (2010), ShadyRAT (2011), Morto (2012), Stegoloader/Gatak (2015), TeslaCrypt (2016), CryLocker
(2016), TROJAN.MSIL.BERBOMTHUM.AA (2018, memes), Titanium (2019), APT15/Ke3chang (2019), APT29/Cozy Bear (2019, 2020), APT23/Tropic Trooper
(2020), DeathStalker/Evilnum (2020)
3 - Ocultar datos robados: Duqu (2011), Turla (2019), APT34/OilRig (2020), APT38/Lazarus Group (2021), APT40/Leivathan (2021)
(Rusia, Israel, Turquía, Corea del Norte, China…)
* Disclaimer: - Conjunto "representativo“ - Varias muestras están presentes en varias categorías, se representa la “principal”.
https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps
*Disclaimer
- Total de 81 muestras ÚNICAS de estegomalware desde 2010, 17 desde 2019.
- LSB secuencial, EOF y fake headers
https://storage.googleapis.com/vtpublic/vt-ransomware-report-2021.pdf
Estegomalware en España (2019-2021): Ursnif, IcedID, GandCrab, LightNeuron, RainDrop, MyKings, Cutwail, ObliqueRAT,
Glupteba, Prolock, NanoCore…
• Malware type: banking trojan, ransomware, backdoor, credentials stealer, dropper, loader, botnet, skimmer, RAT,
cryptominer…
• Técnicas más usadas: EoF, LSB secuencial, Fake-headers
https://github.com/mindcrypt/covertchannels -
steganography
https://blog.sucuri.net/2021/03/magento-2-php-
credit-card-skimmer-saves-to-jpg.html
A recent investigation for a compromised Magento 2 website revealed a malicious
injection that was capturing POST request data from site visitors. Located on the
https://blog.sucuri.net/2021/07/magecart-swiper-uses-
checkout page, it was found to encode captured data before saving it to a .JPG file.
unorthodox-concatenation.html
https://threatpost.com/website-images-obliquerat-malware/164395/
“Codificación a medida” TA551/Shathak is a financially-motivated threat group that has been active
LightNeuron/Turla (JPEG), Oilrig, … since at least 2018. The group has primarily targeted English, German,
Italian, and Japanese speakers through email-based malware distribution
campaigns.
https://github.com/ReconInfoSec/png-decrypt/blob/main/decrypt.py
https://www.mimecast.com/globalassets/documents/whitepapers/taa551-treatresearch_final-1.15.21.pdf
A copy of the previously unseen Raindrop was installed under the name bproxy.dll.
One hour later, the Raindrop malware installed an additional file called "7z.dll". A
legitimate version of 7zip was used to extract a copy of what appeared to be Directory
Services Internals (DSInternals) onto the computer. DSInternals is a legitimate tool
which can be used for querying Active Directory servers and retrieving data, typically
passwords, keys, or password hashes.
- Gets a WMI object to call Mshta to execute the bmp file. The BMP file after
decompression contains a HTA file which executes Java Script to drop a payload
https://blog.malwarebytes.com/threat-intelligence/2021/04/lazarus-apt-conceals-
malicious-code-within-bmp-file-to-drop-its-rat/ Embedded objects within PNG and BMP file
https://blog.sucuri.net/2021/02/whitespace-steganography-conceals-web-shell-in-php-malware.html
https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html
https://vblocalhost.com/uploads/VB2021-Park.pdf