Fancy Bear Uses PNG Steganography for Fileless C# Backdoor Deployment

The advanced persistent threat group uses steganography to conceal shellcode in image pixels, then loads a C# backdoor entirely in memory without writing files to disk.

CSBadmin
2 Min Read

Attack Chain Using Image Steganography

A state linked hacking group tracked as APT C 20, also known as APT28 or Fancy Bear, has adopted an advanced technique to evade detection. The attackers hide malicious shellcode inside PNG image files using least significant bit steganography. This allows them to deploy a fileless C# backdoor without writing any standalone executable to disk, making the intrusion extremely difficult for traditional antivirus tools to spot.

The campaign begins with a malicious Word document delivered via email, disguised as a defense related file for an Eastern European government. When the victim enables macros, the document drops a hidden DLL and a crafted PNG image, then hijacks a Windows COM component to load the DLL without raising alerts. The loader extracts encrypted shellcode from the image pixels, decrypts it, and runs it entirely in memory.

Payload and Cloud Based Communication

Once the shellcode executes, it reflectively loads the final payload, a heavily obfuscated C# backdoor called Publish.exe. The backdoor builds a unique identifier from the victim’s system details and communicates with the attackers using Filen.io, a cloud storage service, instead of a traditional command and control server. It uses multiple backup gateway nodes to ensure resilience. The backdoor waits for instructions, exchanges encryption keys, and can load additional code sent by the operator.

Security teams should treat unexpected macro enabled documents with caution and monitor for unusual explorer.exe behavior or traffic to cloud storage APIs. Indicators of compromise include the malicious document readme.docm, the loader dnxstore.dll, the steganographic image EdgeLogo.png, and the final payload Publish.exe, which communicates through gateway.filen.io and gateway.filen.net.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.