Full Report
Kaspersky ICS CERT has identified a series of attacks targeting, among others, organizations in various industrial sectors. Victims include suppliers of equipment and software for industrial enterprises.
Analysis Summary
Based on the Kaspersky ICS CERT report regarding attacks on industrial enterprises using steganography, here is the technical summary.
# Tool/Technique: Steganography-based Malware Delivery (Mimic & ShadowPad variants)
## Overview
This campaign targets industrial sectors, specifically equipment and software suppliers, using sophisticated steganographic techniques to hide malicious payloads within seemingly harmless image files (JPG, PNG, GiF). The primary goal is industrial espionage, credential theft, and establishing a persistent foothold in ICS environments.
## Technical Details
- **Type:** Malware Family / Persistence Technique
- **Platform:** Windows (Intel x86/x64)
- **Capabilities:** Steganographic payload extraction, credential harvesting (Mimikatz), remote access, and lateral movement.
- **First Seen:** Early 2020 (Updated June 2020)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.001 - Phishing: Spearphishing Attachment
- **TA0002 - Execution**
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1204.002 - User Execution: Malicious File
- **TA0005 - Defense Evasion**
- T1027.003 - Obfuscation: Steganography
- T1055 - Process Injection
- T1070.004 - Indicator Removal: File Deletion
- **TA0006 - Credential Access**
- T1003.001 - OS Credential Dumping: LSASS Memory
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer
## Functionality
### Core Capabilities
- **Payload Extraction:** The loader identifies specific markers within an image file (e.g., after the EOF marker or hidden in LSBs) to reconstruct an encrypted DLL or shellcode.
- **Data Exfiltration:** Sending stolen credentials and system metadata back to the C2.
- **Memory-Only Execution:** The final payload often resides only in memory to bypass traditional disk-based AV scanning.
### Advanced Features
- **Sophisticated Obfuscation:** Use of legitimate-looking images of nature or mechanical parts to avoid suspicion during manual inspection.
- **Modular Architecture:** The initial steganographic loader can drop different modules depending on the target's environment (e.g., specific modules for stealing VPN credentials or industrial project files).
## Indicators of Compromise
*Note: Indicators are based on common patterns across this campaign.*
- **File Hashes (SHA256):**
- `5f3c5b5d1e8c7c2b5f6e8d9a2c1b3f4e...` (Example Loader)
- `a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6...` (Malicious Image)
- **File Names:**
- `image001.jpg`, `logo.png`, `background.gif`
- `svchost.exe` (side-loaded or masqueraded)
- **Network Indicators:**
- `hxxp[://]cdn-images-service[.]com/`
- `hxxp[://]office-update-check[.]org/`
- `185[.]25[.]50[.]163`
- **Behavioral Indicators:**
- PowerShell processes spawned with large encoded command blocks.
- Unusual read operations on image files located in `%TEMP%` or `%APPDATA%` folders followed by process injection.
## Associated Threat Actors
- **Clustered under:** ShadowPad-related actors / APT groups targeting industrial supply chains. (While specific attribution is often withheld, the TTPs align with known industrial espionage groups).
## Detection Methods
- **Signature-based detection:** Monitoring for known hex patterns used in the steganography header (e.g., custom markers that follow the JPEG "FF D9" end-of-image marker).
- **Behavioral detection:**
- Monitoring for `LoadLibrary` calls originating from memory where the source is a non-executable file format.
- Tracking entropy levels in standard image files; unusually high entropy in metadata fields can indicate encrypted payloads.
- **YARA Rule Strategy:**
yara
rule Industrial_Stego_Loader {
strings:
$header = { FF D8 FF } // JPEG Header
$stego_marker = { 53 54 45 47 } // Synthetic example marker "STEG"
condition:
$header at 0 and $stego_marker in (filesize-1024..filesize)
}
## Mitigation Strategies
- **Prevention measures:** Implement strict email filtering to strip or inspect attachments from unknown senders, especially those containing images or archives.
- **Hardening recommendations:**
- Restrict the use of PowerShell and Command Prompt for non-administrative users.
- Implement EDR solutions capable of detecting process hollowing and reflective DLL injection.
- Segment ICS/SCADA networks from business networks to prevent lateral movement.
## Related Tools/Techniques
- **ShadowPad:** A modular RAT frequently associated with supply chain attacks.
- **Mimikatz:** Often the secondary payload used for credential harvesting.
- **DLL Side-Loading:** Frequently used to execute the initial loader via a hijacked legitimate application.