From Pixels to Payloads: Understanding Malicious BMP Files

 

Threat actors are always finding novel ways to exploit systems and gain initial access to their targets or to random devices. One such method involves the use of steganography.

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

So, what is steganography? It is the art of hiding secret messages inside text, images, audio files, and other media.

Because of their offensive and intrusion‑focused mindset, threat actors often abuse legitimate techniques and tools for malicious purposes. In our scenario, we have samples that retrieve BMP files from the attacker’s hosting infrastructure. We will use tools such as zteg, a Ruby‑based steganography analyzer, along with the strings utility to verify whether an embedded executable has been successfully extracted. Afterwards, we will use VirusTotal to check how many antivirus engines detect the payload.

Below is an example of how a PowerShell script downloads and fetches malicious BMP files. It extracts the MZ header from the BMP images, which indicates that the attacker used steganography to hide a malicious executable inside the BMP file. In addition, we see references to other DLLs such as ntdll.dll, which may suggest that the sample behaves like a rootkit or performs operations at the Ring 0 level.

I downloaded the BMP file in my lab, and then moved it to another operating system to use zsteg with the -a option to obtain full information and locate the marker referenced in the PowerShell code.

Before diving deep into reverse-engineering this BMP file, you can first open it in Notepad++ or any other text editor. You will notice something interesting, such as the string runas=invoker. This strongly indicates that a payload is embedded inside the BMP file. This is further confirmed by the example shown in the picture below.

From the zsteg -a results, we can see something interesting:
b8,rgb,lsb,xy .. text: "MARKER_STARTMZP"

Based on this finding, we can use zsteg with the -E option, specify b8,rgb,lsb,xy, and then pipe the output into a file such as out.bin.

As shown in the image, we successfully dumped the content, and the file utility identifies it simply as data, which means part of it is useful while the rest is noise. To clean the file and remove everything before the MZ header, we use the command tail -c +14 out.bin > payload.bin, and afterward we run the file utility again to check the updated output, as shown in the image below.

Based on the dumped strings obtained using the strings utility, we can see that we are now ready to continue with further investigation of this sample, as shown in the image below.

Below is the VirusTotal detection of our dumped sample before cleaning everything before the MZ header.

Enjoy :) . 

Article Link: From Pixels to Payloads: Understanding Malicious BMP Files

1 post - 1 participant

Read full topic

Malware Analysis, News and Indicators - Latest topics