Research Saturday 5.11.19
Ep 85 | 5.11.19

Steganography enables sophisticated OceanLotus payloads.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Tom Bonner: [00:01:53] We were looking into a APT32 activity on a campaign that we'd been dealing with internally. We were already looking at the threat actor.

Dave Bittner: [00:02:02] That's Tom Bonner. He's director of threat research at BlackBerry Cylance. The research we're discussing today is titled, "OceanLotus Steganography Malware Analysis."

Tom Bonner: [00:02:12] As we came to sort of do a review of all the malware involved, we spotted a lot of the usual candidates - things like DNS tunneling, backdoors, Denes, Roland, and Remy, the other sort of remote access Trojans we've written about. And then came across another loader that, you know, didn't quite look like anything we'd seen before, but was clearly, you know, dropped by the OceanLotus APT32 threat actor, used at the same time. So we started looking into that, pulling it apart, and quickly became apparent that it was trying to decode information from PNG image files.

Dave Bittner: [00:02:45] Hmm.

Tom Bonner: [00:02:44] And luckily we were able to obtain a copy of those, started pulling that apart and seeing how it was processing the image. It was loading up a second-stage payload, so that had been embedded in the image file, encrypted. And then it was reading it back out, decrypting it using AES, sort of deobfuscating it - there was XOR and several other obfuscation layers on top - before sort of finally injecting into memory and running it.

Tom Bonner: [00:03:09] So yeah, all came off the back of an IR engagement, which really helps to tie these things down to specific threat actors, and just thought it was a very novel and interesting approach.

Dave Bittner: [00:03:20] Yeah. Before we dig in, what can you tell us about OceanLotus?

Tom Bonner: [00:03:24] Not a lot more than's perhaps in the public domain right now. I tend not to deal too much with the attribution side of things. Of course, many people are saying they're Vietnamese state-sponsored. I'm happy to go with that, but, you know, that aside, I think they're a very interesting group. They seem very prolific at the minute, and investing very heavily in the sort of bespoke tooling to really establish a foothold within an organization, and maintain a foothold, and exfiltrate data.

Tom Bonner: [00:03:24] So, they're using a good mix to sort of off-the-shelf tools - sort of commodity or commercial, off-the-shelf applications - but they have invested an awful lot into their own development. So this is sort of really another phase of their bespoke tooling that we've seen APT32 using.

Dave Bittner: [00:04:10] Well, let's walk through it step-by-step. How does one initially find themselves having to deal with this problem?

Tom Bonner: [00:03:53] Very good question. For a number of reasons you might find yourself in that situation. I mean, recently, we've seen OceanLotus targeting the automotive sector, amongst others. Now, typically, to leverage a foothold into an organization, they still use the same old tricks. You know, phishing works - it works well. We've seen them using even sort of phishing attempts for Mac recently, to try and hook some targets on the back platform.

Tom Bonner: [00:04:47] Once they're in, or they can at least get some sort of a payload on a system, we'll usually see things like Cobalt Strike Beacon being deployed at that point. Then they can recon systems. They will start to pump down some more bespoke malware that they've perhaps written in-house - although, even at those early stages, it's still often sort of throw-away samples. So, we started to see the steganography loader quite often at this point. We've seen the Denes DNS tunneling Trojan at this point. And a few other more basic remote access Trojans. They'll then start to be deployed, and they can look at moving laterally and spreading from there. And then finally, you know, even more bespoke remote access Trojans will be deployed, and they'll look at data exfiltration, or sort of whatever their end game is within that environment.

Dave Bittner: [00:05:37] It is interesting in your report that one of the images that they used was a gentleman thief character from a Japanese manga series - Kaito Kuroba. I suppose we have to give them style points for that.

Tom Bonner: [00:05:51] (Laughs) Absolutely, yeah, the Kaito Kid. Definitely give 'em some style points for that one. I mean, if it had been Naruto or Pokemon, might have been a bit more easily identifiable. I certainly hadn't heard of that particular series, but we had a few on our APAC team who had. But no, in a way, that wasn't the perfect image for them, because it was too small to hold the entire payload embedded in individual pixels.

Tom Bonner: [00:06:17] So, the second image - which I believe came from an inspirational quotes website - that image was actually a little larger, so every portion of the payload was able to be encoded and embedded in an RGB pixel value, whereas for the Kaito Kid one, the image actually overflowed beyond the end of the sort of RGB pixel matrix. So the bulk of the data was actually just appended raw to the file, which I guess isn't entirely their intention when they came to make this. But yeah, it was just a sort of unfortunate side effect.

Dave Bittner: [00:06:49] Well, let's dig in some to the steganography itself. First of all, can you describe to us, what is that?

Tom Bonner: [00:06:55] Steganography, in its simplest terms, is basically embedding some sort of data into, in this case, an image, for the purpose of hiding it. I mean, that technique has been around for an awfully long time, perhaps hundreds of years, and when combined with encryption as well, it can offer a very effective way of obscuring messages, or payloads, or concealing whatever information someone might like to conceal.

Dave Bittner: [00:07:25] And they went through some effort to, in this process, to not overtly affect the actual image itself. You wouldn't look at it and know that there was something wrong.

Tom Bonner: [00:07:35] Exactly. So, basically, each pixel in an image is assigned three color values. So, you have a byte for the blue, a byte for the green, and a byte for the red. In addition, you know, most other sort of image encoding algorithms will use an extra byte for the alpha channel. That value would sort of represent how transparent the overall color is.

Tom Bonner: [00:07:57] But yeah, they just focused purely on the red, green, and blue bytes, and by changing the least significant bits of these, basically, it disrupts - or, not so much disrupts, but it rather minimizes the visual differences between the original image and the image containing the payload. So yeah, it's only three bits from the red channel, three bits from the green channel, and two bits from the blue channel that change. So it would be very marginal shifts in color that should generally be imperceptible to the human eye.

Dave Bittner: [00:08:32] And then they took it to a next step - they were using some encryption as well?

Tom Bonner: [00:08:36] Oh, lots of encryption. Yeah. So the actual payload itself is encrypted using AES - AES128, with a key hardcoded in the binary. Then, I believe it deXORs the payload, after it's been read out. And then, all it really relies on on-disk is the loader DLL in the image. So, the image is read into memory, the bits are sort of pulled out of the image to reconstruct the byte buffer with the encrypted payload. That's decrypted in-memory using AES, then it's deobfuscated using XOR. That yields a shellcode buffer, which is RC4 encrypted, so that's decrypted.

Tom Bonner: [00:09:20] Then there's another launcher DLL. That contains another payload that's RC4 decrypted and inflated using LZMA. That contains another backdoor DLL, which then inflates another payload using LZMA. And finally, we get the C2 module in-memory. So, very sort of complex infection-injection chain occurring in-memory there.

Dave Bittner: [00:09:42] The point of that is to hide it from systems that might be trying to detect it?

Tom Bonner: [00:09:47] Absolutely. Yeah. It's to bypass defenses, really. So, by keeping as little as possible on-disk, in terms of the payload embedded in the image and the loader DLL, it really minimizes the chance for security software to flag it. The loader DLL itself is actually incredibly lightweight. Apart from sort of decoding the image, allocating some executable memory, copying some shellcode to it, and running it, it doesn't do an awful lot.

Tom Bonner: [00:10:13] And then after that, all of the next stages occur in-memory. So again, there's not a lot of options for security software to sort of hook it and grab it at that point. All of the sort of subsequent DLL and shellcode layers are then injected into the same address space, which often makes it hard for security software to pick it up and flag it. So yeah, it's really just trying to evade detection. That's sort of the main purpose of this convoluted sort of infection and loading chain.

Dave Bittner: [00:10:41] And then, once it is in memory and that process begins, then what's going on there, in terms of the backdoor and the other things it's trying to do?

Tom Bonner: [00:10:49] Really anything. So, initially, when we discovered this at the back-end of 2018, we'd seen them loading a couple of payloads that related to a DNS tunneling backdoor that APT32 were known to have developed and used heavily. But subsequently, since the paper's been published and pushed through marketing, we've actually seen them quite recently using the same style loaders - the exact same images described in the paper, but delivering other payloads as well. So, things like Cobalt Strike Beacons, and other - yeah, other tools from the APT32 arsenal.

Dave Bittner: [00:11:27] Now, it's interesting because you were saying that part of this was intentionally lightweight, but then later in the research you discuss how elements of this have a lot of junk code included in them, which makes the files larger, but harder to reverse-engineer.

Tom Bonner: [00:11:43] Absolutely. So, that junk code is occurring within the payload that's injected into memory...

Dave Bittner: [00:11:49] Hmm.

Tom Bonner: [00:11:48] ...So it's not really present in the on-disk loader DLL. And yeah, it's probably a fairly crude garbage opcode generation routine. It will modify a lot of registers, a bit of stack-based variables, but all neatly wrapped around two instructions - so, one that pushes the flags to the stack, and one that pops them them off, back into the flags register. And thankfully, most of the garbage opcode is neatly housed between those two instructions, so it's not too trivial to ignore that code, read round it, and get an overview of what's happening. It does change some of the logic flow from the basic compiled application. But yeah, it's largely just designed to annoy analysts really...

Dave Bittner: [00:12:37] (Laughs)

Tom Bonner: [00:12:36] ...And as soon as you can find a nice way of cheating it, it's not too problematic.

Dave Bittner: [00:12:44] Hmm. So, in your estimation, how would you rate the sophistication of what's going on here?

Tom Bonner: [00:12:49] I say it's pretty highly sophisticated. Absolutely. As with everything that the OceanLotus group develops, it's all to a high standard. It's clearly been developed well, tested well. The people who are writing it definitely have a very good understanding of not just what they're trying to accomplish, but how the security industry works, how we're going after them, how we're trying to track and monitor them. So they're, you know, constantly evolving. It's a cat-and-mouse game every day. But yeah, it's definitely been well-funded and well-developed, as with all of the other tools we've seen in formation like this.

Dave Bittner: [00:13:22] And what are your recommendations for folks to best protect themselves against this?

Tom Bonner: [00:13:26] Well, from a purely shameless standpoint, I would say still CylancePROTECT and OPTICS. But no, just more general advice for people who might be experiencing this or problems of this, is that things like EDR software - so, endpoint detect and response - it can be very, very powerful in helping to track these things down at the end of the day.

Tom Bonner: [00:13:47] You know, I've often tried to take the standpoint when dealing with these types of attacks that, if somebody wants to target you and they want to get in, they probably will. And, you know, after that, perhaps after your first line of defenses have been breached, then having software such as OPTICS, EDR software that is able to monitor and assess the behavior of threats on a system, and allow you to easily query that. Yeah, perform analysis based on functionality - it's really going to help out at the end of the day.

Dave Bittner: [00:14:19] In terms of the steganography itself, are there tools available that are looking for these sorts of things? Can you protect yourself from that specific type of attack?

Tom Bonner: [00:14:29] Not really. So, on the first part, as to whether there are tools to detect - there are some good analysis tools. I would say they are more meant for sort of back-end processing for reverse engineers and analysts to use in their sort of daily workflows. They can help to spot data that's been embedded or encoded in images, but only certain encoding algorithms, so, you know, this is ways of stuffing the bits and bytes into RGB color values. Now, what we've seen from some of their commercial off-the-shelf tools is that they will use a certain subset of algorithms for embedding this data, and the analysis tools will then sort of react to that, and come and add corresponding decoders.

Tom Bonner: [00:15:17] What's happened in this case with the OceanLotus steganography is that they seem to have been aware of these tools up front, and they have crafted the algorithm in such a way that there were very few differences when compared with the original image. But they've also been very careful not to trigger or make these tools trip up and detect their image, and automatically decode and pull out payloads. So we've written a little script as part of the white paper that will help people do that, but I'm sure it would be very trivial for them to alter the algorithm in a way that would break my script or break other analysis tools and sort of render it obsolete.

Tom Bonner: [00:15:57] So from that perspective, there aren't too many bits of security software or monitoring software that they're really going to help out here. And of course, everything is AES encrypted at the end of the day, so even if we could pull the data out, it's still an encrypted blob, and we'd have no idea how to handle it or process it without the original key, which we probably wouldn't have at that point.

Dave Bittner: [00:16:20] Hmm, yeah. So the game of cat-and-mouse continues.

Tom Bonner: [00:16:22] It does, day in, day out. Been doing it for eighteen years now.

Dave Bittner: [00:16:30] Our thanks to Tom Bonner from BlackBerry Cylance for joining us. The research is titled, "OceanLotus Steganography Malware Analysis." We'll have a link in the show notes.

Dave Bittner: [00:16:40] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:16:49] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:16:58] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our CyberWire editor is John Petrik. Technical editor, Chris Russell. Our staff writer is Tim Nodar. Executive Editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.