Attackers leveraged .NET assemblies with bitmap resources to conceal remote access trojans (RATs) in a recent malspam campaign, Palo Alto Networks’ Unit 42 reported Friday.  Unit 42 researchers discovered RATs, including Agent Tesla and Remcos RAT, as well as the XLoader infostealer, hidden in otherwise benign 32-bit .NET files distributed via email and labeled as requests for quotation, purchase orders or other business-related documents.A sample from the campaign, which mostly targeted the financial industry in Turkey and the logistics sector in Asia, was analyzed by Unit 42 to uncover its full attack chain details. This sample was a copy of the legitimate application Windows Form OCR with the malware embedded in the resource section of the .NET assembly.The attack involved several stages, starting with the initial executable xgDV.exe, which the report authors noted contained custom methods and parameters following an underwater theme (ex. AbyssalScan, MarineExploration, VerifyOxygenSaturation).The first step of the process involves unpacking a dynamic link library (DLL) called TL.dll from the bitmap resource named “sv,” which serves as a loader for the next stage of the attack. TL.dll is then used to unpack a second bitmap from the original executable, called rbzR, into Montero.dll.Montero.dll itself contains a .NET byte array resource called uK5APqTdSG, which it unpacks into the final payload Remington.exe, a variant of the Agent Tesla RAT. Montero.dll uses XOR encryption with subtraction to deobfuscate the uK5APqTdSG byte array and ultimately load and execute Remington.exe.This technique is a form of steganography, where malicious code is hidden within image files. In this case, the images are embedded directly within the .NET assemblies, rather than being downloaded from an external source, and easily retrieved from the raw bitmap (BMP) image data format.Unit 42 explains that this evasion technique can be combatted by creating a debugger using the .NET Framework’s ICorDebugManagedCallback interface to hook the following API functions:

Hooking these functions will temporarily pause execution at certain points to retrieve data when embedded resources are being read by a .NET application, and when a .NET assembly is loaded from a raw byte array.