Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources

May 12, 2025, 8:46 a.m.

Description

This article discusses a new obfuscation technique used by threat actors to conceal malware within bitmap resources embedded in seemingly benign 32-bit .NET applications. The malware employs a multi-stage process to extract, deobfuscate, load, and execute secondary payloads, ultimately leading to the detonation of the final payload. The analysis focuses on malware samples from recent malspam campaigns targeting financial organizations in Turkey and the logistics sector in Asia. The article provides a detailed technical breakdown of the four stages involved in the malware's execution, from the initial payload to the final Agent Tesla variant. It also offers insights into effective analysis approaches and protection measures against this steganography-based threat.

External References

https://unit42.paloaltonetworks.com/wp-content/uploads/2025/05/05_Hactivism_Overview_1920x900.jpg
https://unit42.paloaltonetworks.com/malicious-payloads-as-bitmap-resources-hide-net-malware/
https://otx.alienvault.com/pulse/681e6c6a0815759abdfae05d
Tags
obfuscation
steganography
malspam
.net
agent tesla
remcos rat
multi-stage
xloader
2025-05-09
bitmap

Date

  • Created: May 9, 2025, 8:58 p.m.
  • Published: May 9, 2025, 8:58 p.m.
  • Modified: May 12, 2025, 8:46 a.m.

Attack Patterns

  • Remcos RAT
  • Agent Tesla - S0331
  • XLoader

Additional Informations

  • Logistics
  • Finance