Microsoft Windows Is Being Hacked If You See These JPEG Images
Microsoft users have every right to feel bombarded by hackers lately. With recent global SharePoint attacks, confirmation of the FileFix Windows security bypass, and the FBI issuing a critical warning to activate 2FA in response to the Interlock ransomware threat, it's clear that attackers are becoming increasingly sophisticated.
Now, Windows users have been issued another warning about a threat hiding in plain sight – one that weaponizes JPEG image files to attack. Here’s what you need to know about the APT37 RoKRAT remote access trojan.
A Sophisticated Attack Using MS Paint and JPEG Images
When thinking of sophisticated hack attacks, the chances are that the much-derided MS Paint application and the use of basic JPEG images do not immediately spring to mind. However, in this latest attack campaign, APT37 has successfully employed these tools to deploy a truly dangerous remote access trojan called RoKRAT.
Security researchers at the Genians Security Center have warned that the risk is very real indeed, as steganography is used to obfuscate malware code. The attackers are using this technique to inject the malware into the MS Paint process during Microsoft Windows cyberattacks.
The Use of Steganography in Attacks
Steganography, from the Greek steganographia, combining words meaning concealed and writing, is the "art" of concealing information within a different medium so that it is not immediately evident to even a skilled observer. In the world of cybersecurity, steganography is most commonly seen as malicious code hiding within a seemingly harmless image.
This technique has been used for decades – even by yours truly 25 years ago when I employed it to capture keyboard output and hide it in an image file for later extraction. Unfortunately, this does not make the technique outdated or any easier to detect. And that’s why APT37 attackers are deploying steganography in these latest RoKRAT campaigns.
Mitigating the Attack: Endpoint Detection and Response
“When shellcode is injected into the mspaint.exe process to perform a fileless attack,” the researchers warned, “detection by signature- or pattern-based security solutions may be difficult.” However, a mature Endpoint Detection and Response solution can identify “external communications initiated via shellcode and the Dropbox API,” which would quickly halt the Microsoft Windows attack.
For mere mortals without access to such enterprise tools, there’s another mitigation method: beware of the phishing tactics used initially to distribute the malware. These consist of compressed archives containing Windows shortcut links. You can read about mitigating Microsoft LNK cyberattacks here.
Microsoft's Response and Mitigation Tips
In response to the latest APT37 campaign, a Microsoft spokesperson previously advised that: “Windows identifies LNK shortcut files as a potentially dangerous file type, which means that when a user attempts to open one that had been downloaded from the internet, a security warning is automatically triggered. This warning, quite correctly, advises the user not to open files from unknown sources. We strongly recommend heeding this warning.”
Microsoft Defender For Endpoint provides detection and protection for this type of malware,” said the spokesperson. “Customers utilizing automatic updates do not need to take additional action and will be protected.” Microsoft also encourages customers to turn on automatic updates to help ensure they are protected.
Hardening Customer Environments
Microsoft advises that hardening customer environments can help to mitigate against the kind of malware used in these latest attacks. This can be achieved by enabling attack surface reduction rules, the spokesperson said.