ANY.RUN sandbox has analyzed a new strain of Meterpreter backdoor malware that leverages sophisticated steganography techniques to conceal its malicious payload within an image file.
The malware, dubbed “Meterpreter Backdoor,” is designed to evade detection by hiding its code in the first two rows of a seemingly innocuous image, using only the green and blue color channels from the RGB color space.
The attack begins with a .NET executable file containing a PowerShell script that downloads a PNG image from a remote command-and-control (C2) server. Although the image appears to be a picturesque landscape, it harbors a sinister secret.
The malware calculates a byte array from the image channels using the System.Drawing library and a specific formula: (149 & 15)*16) || (83^15) = 83.
This formula extracts the hidden code from the image’s first two rows’ green and blue color values.
Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.
Once the byte array is obtained, the malware decodes it into ASCII characters, revealing a User-Agent string and the IP address of the C2 server to which the malware will attempt to connect.
This connection allows the attacker to issue commands and potentially gain unauthorized access to the compromised system.
The decoded information is then converted into a script that the malware executes, enabling it to establish a persistent backdoor on the infected machine.
This backdoor can be used for various malicious activities, such as data exfiltration, remote code execution, or further spreading of the malware within the network.
Here, you can find how the malware executes in the Windows Sandbox
Steganography: A Potent Weapon for Malware Delivery
Steganography, the practice of concealing information within seemingly innocuous data, has become an increasingly popular technique among cybercriminals.
Attackers can bypass traditional security measures and deliver their payloads undetected by hiding malicious code within images, audio files, or other multimedia content.
The Meterpreter Backdoor campaign highlights the sophistication and adaptability of modern malware authors. By leveraging steganography, they can effectively cloak their malicious activities, making it more challenging for security professionals to identify and mitigate threats.
“This campaign underscores the importance of adopting a multi-layered security approach that combines traditional signature-based detection with advanced techniques like behavioral analysis and machine learning,” said a cybersecurity expert. “Staying ahead of these ever-evolving threats requires constant vigilance and a proactive approach to cybersecurity.”
As the threat landscape evolves, organizations and individuals must remain vigilant and prioritize cybersecurity best practices, such as keeping software up-to-date, implementing robust access controls, and educating users on identifying and reporting suspicious activities.