ThreatCure Analysis ReportBitmap Steganography in .NET Malware: A Multi-Stage Threat Campaign

/ Analysis / By

Summary
ThreatCure researchers have observed a novel malware technique exploiting bitmap steganography within 32-bit .NET applications to deliver multi-stage payloads. Threat actors embed malicious code in image resources inside seemingly legitimate executables and use in-memory execution and dynamic assembly loading to evade detection. This campaign has been particularly active in Türkiye and parts of Asia, targeting critical industries through spam emails.

Key Observations

  • Delivery Method: Malicious executables are delivered via ZIP attachments in phishing emails.
  • Payload Concealment: Malware uses bitmap resources embedded in the binary to hide payloads.
  • Obfuscation Tactics: Utilizes dynamic assembly loading, reflection, and custom encryption (XOR, subtraction-based) for layered obfuscation.
  • Targeted Payloads: Final-stage malware includes Agent Tesla, Remcos RAT, and XLoader.

Attack Lifecycle: Technical Breakdown
Stage 1: Dropper Loader (xgDV.exe)

  • Delivered as a Windows Forms application (e.g., “OCR Tool”).
  • Contains an embedded bitmap resource (sv) that is loaded using the .NET InitializeComponent() method.
  • Decrypts the resource into memory as a .NET assembly (TL.dll).

Stage 2: First Loader (TL.dll)

  • Loaded reflectively in memory.
  • Extracts a second bitmap-encoded resource (rbzR) from the original EXE.
  • Uses Late Binding to decrypt and load another .NET assembly (Montero.dll).

Stage 3: Second Loader (Montero.dll)

  • Applies XOR and subtraction-based decryption on embedded byte array (uK5APqTdSG).
  • Generates and executes the final payload (Remington.exe).
  • Supports flags for execution control (forked or in-process).

Stage 4: Final Payload Execution

  • Final payload is a variant of Agent Tesla.
  • Capabilities include:
    • Credential harvesting
    • Keylogging
    • Clipboard monitoring
    • Browser data theft
  • Exfiltrates data via SMTP over TLS.

Affected Regions and Sectors

  • Geographic Focus: Türkiye, broader Asia
  • Industries Targeted: Critical infrastructure, industrial sectors, and enterprise environments

ThreatCure Recommendations

  • Monitor for suspicious bitmap resources embedded in .NET applications
  • Implement advanced email filtering with ZIP and EXE inspection
  • Use behavioral monitoring for reflective loading and in-memory .NET assembly execution
  • Apply network detection rules for common RAT exfiltration methods (e.g., SMTP over TLS)
  • Educate users to avoid interacting with unexpected email attachments claiming to be tools or utilities

Conclusion
This campaign reflects a sophisticated evolution of malware delivery using steganography and modular loaders to bypass traditional defenses. ThreatCure advises heightened vigilance, particularly across email gateways and .NET execution environments, to proactively detect and contain such threats.