Microsoft Windows Is Being Hacked If You See These JPEG Images
APT37 group uses JPEG images in Windows hack attack.
getty
Microsoft users have every right to consider themselves somewhat bombarded by hackers. What with the recent global SharePoint attack, confirmation of the FileFix Windows security bypass, and the FBI issuing a critcial warning to activate 2FA in response to the Interlock ransomware threat. Now Windows users have been issued another warning about a threat hiding in plain sight that weaponizes JPEG image files to attack. Here’s what you need to know about the APT37 RoKRAT remote access trojan.
Windows Users Warned As Microsoft Paint And JPEG Images Used In Latest Hack Attacks
When you think of sophisticated hack attacks, the chances are that the much-derided MS Paint application and the use of basic JPEG images do not immediately spring to mind. Yet here we are, with a critical warning being issued as an advanced threat group colloquially known as Reaper, but more formally identified as APT37, using just these tools to deploy a truly dangerous remote access trojan called RoKRAT. You might be more used to reading about images stolen by hackers than deployed by them as an integral part of an attack, but the risk is very real indeed as security researchers at the Genians Security Center have warned.
The latest RoKRAT attack report has revealed how the APT37 hackers are using steganography to obfuscate malware code, which is then injected into the MS Paint process during the Microsoft Windows cyberattacks. Why do this? Because it makes detection, and therefore prevention, much harder.
APT37 “employs a two-stage encrypted shellcode injection method to hinder analysis,” the researchers warned, with downloaded images as part of the attack. The report said the malware analysts observed that “the RoKRAT module is embedded within the JPEG image format.”
The RoKRAT attack module itself was concealed, the researchers said, in images named Father.jpg, downloaded from a Dropbox drive. There were two photos of a man, a harmless version of which can be viewed within the report itself, but “the underlying malware structure remained the same.”
What Is Steganography?
Steganography, from the Greek steganographia, combining words meaning concealed and writing, is just that: the “art” of concealing information within a different medium so that it is not immediately evident to even a skilled observer. In the world of cybersecurity, steganography is most commonly seen, or not, of course, as malicious code hiding within a seemingly harmless image. This is not a new technique by any means. I feel a confession coming on. Some 25 years ago, someone looking very much like me employed just such a technique to capture keyboard output and hide it in an image file for later extraction. Hackers have known about and deployed steganography forever. Which does not make it an outdated technique or any the easier to detect when looking for malicious code. And that, dear reader, is why the APT37 attackers are deploying it in these latest RaKRAT campaigns.
“When shellcode is injected into the mspaint.exe process to perform a fileless attack,” the researchers warned, “detection by signature- or pattern-based security solutions may be difficult.” But a mature Endpoint Detection and Response solution can identify “external communications initiated via shellcode and the Dropbox API,” which would quickly halt the Microsoft Windows attack.
For mere mortals without access to such enterprise tools, there’s another mitigation method: beware of the phishing tactics used initially to distribute the malware. These consist of compressed archives containing Windows shortcut links. You can read about mitigating Microsoft LNK cyberattacks here. I have reached out to Microsoft for a statement rearing the latest APT37 campaign. In the meantime, a spokesperson previously advised that: “Windows identifies LNK shortcut files as a potentially dangerous file type, which means that when a user attempts to open one that had been downloaded from the internet, a security warning is automatically triggered. This warning, quite correctly, advises the user not to open files from unknown sources. We strongly recommend heeding this warning.”