A novel .NET-based malware loader is employing an innovative steganography technique to conceal the Lokibot trojan within image files, significantly challenging existing cybersecurity defenses. This advanced multi-stage payload delivery system embeds malicious code within seemingly innocuous PNG and BMP files, a method highly effective at evading detection by security tools and analysts.
Security researchers have identified this evolving threat as part of a global attack campaign targeting various organizations. The attackers are exploiting the common practice of whitelisting image files by antivirus software and email gateways, which often assume these files are safe and pose no risk. This reliance on image file integrity has created a critical vulnerability that this new malware leverages.
.NET Malware Hides Lokibot within Images Using Steganography
The malware functions as a steganography loader, capable of extracting and executing the Lokibot information stealer from within image files. The delivery mechanism typically originates from phishing emails or compromised websites that host the initial loader. Once executed, the malware retrieves image files containing hidden Lokibot payloads from remote servers. This sophisticated embedding process manipulates pixel data within PNG and BMP files, specifically utilizing RGB color channels to store encoded executable code.
According to Splunk security researchers, this technique represents a notable shift in malware evasion strategies. Traditional detection methods that rely on identifying suspicious file signatures or behavioral patterns are often bypassed by this image-based steganography. The malware includes a custom decryption routine to extract the Lokibot payload after retrieval, adding another layer of obfuscation that delays analysis and detection.
Upon successful deployment, Lokibot actively harvests sensitive credentials and data from infected systems. Its targets include browser histories, saved passwords, and application-specific authentication tokens. This makes the malware particularly dangerous for corporate environments where employees frequently access multiple cloud services, potentially compromising a wide range of sensitive information.
The Steganographic Embedding Mechanism Explained
The technical sophistication of this attack is further revealed by its steganographic embedding mechanism. The .NET loader contains embedded PNG and BMP files within its resource section. These image files are specifically crafted to contain the Lokibot payload encoded across multiple pixel values. The encoding process exploits the ARGB color format, where each pixel consists of alpha, red, green, and blue channel data.
Attackers manipulate these channel values to embed encoded bytes of the malicious executable. The process involves extracting individual pixel values, converting them into hexadecimal sequences, and then reassembling these bytes to reconstruct a complete Portable Executable (PE) module. The extracted file is typically a Dynamic Link Library (DLL), such as “captive.dll,” which acts as an intermediate stage. This DLL then decrypts and executes the final Lokibot trojan.
This layered approach means that security tools must successfully bypass multiple stages of encryption and encoding before they can identify the actual threat. The effectiveness of this technique lies in its ability to distribute malware using files that pass content analysis, satisfy file-type validation checks, and circumvent gateway filters designed for more conventional payload detection methods. The continued evolution of such sophisticated evasion tactics by threat actors underscores the ongoing need for adaptive and multi-layered cybersecurity strategies.
The implications of this attack method are significant, as it highlights a growing trend of attackers leveraging non-executable file formats to conceal malicious payloads. Organizations are advised to review their security policies and consider implementing more advanced detection mechanisms that can analyze file contents at a deeper level, even within seemingly benign image files. Further research is expected to identify specific indicators of compromise (IOCs) and develop more robust defense strategies against this evolving threat.