Iranian Hackers Hide C2 in Google Pixels: OilRig’s Stealthy Cloud Image Steganography + Video

Listen to this Post

Featured Image

Introduction:

In a sophisticated cyberespionage campaign, the Iranian state-sponsored group APT-C-49 (OilRig/APT34) has been hiding malware command-and-control (C2) configurations inside seemingly harmless PNG images hosted on Google Drive using Least Significant Bit (LSB) steganography. This multi-stage attack chain leverages legitimate cloud infrastructure and fileless execution to remain undetected while exfiltrating sensitive data.

Learning Objectives:

  • Understand how LSB steganography can embed malicious configurations into image pixels
  • Learn to detect anomalous image downloads and in-memory payload execution
  • Implement monitoring for abuse of legitimate cloud services and Telegram API traffic

You Should Know:

  1. The OilRig Attack Chain: From Excel Lure to Stealth C2

Step‑by‑step guide explaining what this does and how to use it.

The attack begins when a victim receives a spear-phishing email containing a malicious Excel file, often disguised as a document related to Iranian protests (e.g., “Final List_Tehran.xlsm”). When the victim opens the file and enables macros, a VBA script decodes embedded C source code and compiles it using the legitimate Windows compiler `csc.exe` (C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe). The compiled loader runs entirely in memory, leaving minimal forensic footprint.

Once active, the loader connects to a hardcoded GitHub repository to fetch an encoded text file containing a Google Drive link to a PNG image. Using LSB steganography, the malware extracts encrypted C2 configuration data from the image pixels, then decrypts it using Base64 and XOR methods to obtain the C2 server addresses and Telegram bot credentials.

 Monitoring csc.exe compilation (Windows PowerShell Event Logs)
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object { $<em>.Id -eq 1 -and $</em>.Message -match "csc.exe" }

Linux monitoring for unusual outbound connections to cloud storage
sudo tcpdump -i eth0 -n 'host drive.google.com or host github.com or host api.telegram.org'

The malware then establishes an encrypted C2 channel using the Telegram Bot API, blending malicious traffic with legitimate network activity to bypass firewalls. Custom modules for file uploads, credential theft, and command execution are fetched directly into memory from the C2 server, avoiding file‑based detection.

 Detect Telegram API traffic (Suricata rule example)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"Potential Telegram Bot API C2"; content:"/bot"; http_uri; content:"/sendMessage"; http_uri; sid:1000001;)

To maintain persistence, the malware copies legitimate Windows executables and schedules tasks to trigger the payload on each startup.

 Check for suspicious scheduled tasks (Windows)
schtasks /query /fo LIST /v | findstr /i "C:\Windows\System32\"

List scheduled tasks on Linux (cron)
crontab -l
sudo cat /var/spool/cron/crontabs/
  1. Mastering LSB Steganography: Hide and Extract Data in Images

Step‑by‑step guide explaining what this does and how to use it.

LSB (Least Significant Bit) steganography works by replacing the lowest bits of each pixel’s color values (Red, Green, Blue) with bits of secret data. A 1024×768 pixel PNG image can hide approximately 94KB of configuration information—enough for encrypted C2 data.

To understand how attackers use LSB steganography, you can practice using free tools:

 Linux - Install steghide
sudo apt-get install steghide

Hide a file inside an image
steghide embed -cf cover_image.jpg -ef secret_config.txt -p "your_passphrase"

Extract hidden data (as OilRig does)
steghide extract -sf suspicious_image.jpg -p "passphrase"

Alternative: OpenStego
openstego embed -mf config.txt -cf original.png -sf stego.png

To detect LSB steganography, use `stegdetect` with statistical analysis:

 Detect steganography in JPEG images
stegdetect -s -t -i suspicious.jpg

StegExpose (Java) for bulk analysis
java -jar stegExpose.jar /path/to/images/ -t 0.3

Given the prevalence of LSB steganography, many organizations struggle to identify steganographic content. It is common to find high volumes of false positives when scanning images at scale.

 Python script to detect LSB anomalies
from PIL import Image
import numpy as np
img = Image.open('sample.png')
pixels = np.array(img)
lsb = pixels & 1
if np.mean(lsb) != 0.5:
print("Potential LSB steganography detected")

For real-time detection of suspicious image downloads, monitor network requests from Microsoft Office processes:

 Windows PowerShell: Monitor Excel creating outbound connections
Get-NetTCPConnection | Where-Object { $_.OwningProcess -eq (Get-Process excel).Id }
  1. Defending Against Fileless Malware and Cloud Abuse Defenses

Step‑by‑step guide explaining what this does and how to use it.

OilRig’s campaign highlights the importance of defending against fileless malware that operates entirely in memory without writing to disk. To mitigate these threats, you must implement application control, restrict macro execution, and monitor for suspicious process behaviors.

First, restrict macro execution in Microsoft Office:

 Windows Group Policy: Disable macros for Excel
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Office\Excel\Security" -Name "VBAWarnings" -Value 2

Apply via PowerShell to all users
Set-ExecutionPolicy -ExecutionPolicy Restricted -Scope LocalMachine

Second, restrict compilation of unsigned C code by controlling `csc.exe` execution:

 Windows Software Restriction Policy (AppLocker)
New-AppLockerPolicy -RuleType Exe -User Everyone -Path "C:\Windows\Microsoft.NET\Framework\csc.exe" -Action Deny

Linux AppArmor profile for restricting compilation
sudo aa-genprof /usr/bin/gcc

Third, implement EDR rules to detect in-memory payloads and anomalous process injections:

 Sysmon configuration to log process creation (XML entry)
<Sysmon>
<EventFiltering>
<ProcessCreate onmatch="include">
<CommandLine condition="contains">csc.exe</CommandLine>
</ProcessCreate>
</EventFiltering>
</Sysmon>

Detect PowerShell reflection loading (Event ID 4104)
Get-WinEvent -LogName "Windows PowerShell" | Where-Object { $<em>.Id -eq 4104 -and $</em>.Message -match "System.Reflection.Assembly" }

To block OilRig-style attacks, configure your firewall to monitor Google Drive and GitHub traffic from non‑browser processes:

 Windows Firewall: Block Excel from connecting to cloud storage
New-NetFirewallRule -DisplayName "Block Excel to Cloud" -Direction Outbound -Program "C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE" -RemoteAddress "142.250.0.0/16","140.82.112.0/20" -Action Block

Linux iptables: Restrict outbound to cloud CDNs
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m string --string "drive.google.com" --algo bm -j DROP

Finally, monitor for unusual Telegram Bot API usage, which appears as a significant challenge for network security teams due to the service’s legitimate use:

 Zeek (Bro) script to detect Telegram API anomalies
event http_request(c: connection, method: string, uri: string, version: string)
{
if (/bot.\/sendMessage/ in uri && /http:\/\/api.telegram.org/ in c$http$host)
print fmt("Potential C2: %s", uri);
}
  1. MITRE ATT&CK Mapping and Threat Hunting for OilRig TTPs

Step‑by‑step guide explaining what this does and how to use it.

To effectively hunt for OilRig activity, you must understand their TTPs (Tactics, Techniques, and Procedures) as mapped to the MITRE ATT&CK framework. OilRig’s campaign primarily employs techniques such as T1027 (Obfuscated Files or Information) via LSB steganography, T1568 (Dynamic Resolution) by fetching C2 configurations from cloud images, and T1071.001 (Application Layer Protocol: Web Protocols) using Telegram Bot API.

Start by collecting Windows event logs and correlating indicators:

 Collect Sysmon Event ID 1 for process creation
wevtutil qe "Microsoft-Windows-Sysmon/Operational" /f:text /c:100 | findstr /i "csc.exe"

Query PowerShell logs for suspicious execution (Event ID 4103)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4103} | Where-Object { $_.Message -match "-EncodedCommand" }

Build hunting queries for encoded PowerShell commands often used in conjunction with C loaders:

 Detect Base64-encoded PowerShell commands
Get-WinEvent -LogName "Windows PowerShell" | Where-Object { $_.Message -match "[A-Za-z0-9+/]{40,}={0,2}" }

Linux: Detect encoded commands in bash history
grep -E "echo.base64" /home//.bash_history

Host-based Indicators of Compromise (IOCs) include:

 UNIX/Linux: Search for malicious scheduled tasks referencing cloud domains
grep -r "drive.google.com" /etc/cron /var/spool/cron/
grep -r "github.com" /etc/cron /var/spool/cron/

Windows: Search registry for persistent tasks
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Create custom YARA rules to identify known OilRig loaders and steganography artifacts:

rule OilRig_Loader {
meta:
description = "Detects OilRig C loader artifacts"
strings:
$s1 = "Telegram.Bot" nocase
$s2 = "LSB" nocase
$s3 = "GoogleDrive" nocase
$hash = { 48 83 EC 28 48 8B 01 48 89 44 24 }
condition:
any of ($s) or $hash
}

Network-based IOCs to monitor include:

 Snort rule for OilRig C2 pattern detection
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"OilRig Google Drive Steganography C2"; flow:to_server,established; content:"drive.google.com"; http_host; pcre:"/.png$/Ui"; sid:1000002;)

Monitor for Telegram API anomalies using netstat
netstat -an | findstr "149.154.167.91" && echo "Telegram C2 possible"
netstat -an | grep "149.154.167.91" && echo "Telegram C2 possible"

For proactive threat hunting, review corporate firewalls for connections to unknown Google Drive links from Microsoft Excel processes:

 PowerShell: Find Excel processes with open network connections
Get-NetTCPConnection | Where-Object { $_.OwningProcess -eq (Get-Process -Name EXCEL).Id }
 Check for connections to GitHub
Resolve-DnsName api.github.com | Select-Object IPAddress
  1. Advanced Evasion: Memory‑Only Execution and Cloud API Abuse

Step‑by‑step guide explaining what this does and how to use it.

OilRig’s most dangerous innovation is its 50% reliance on legitimate cloud services for infrastructure, combined with fileless execution. By hosting malicious configuration images on Google Drive, attackers piggyback on Google’s trusted reputation and SSL certificates, bypassing many content filters.

To defend against this abuse, implement outbound TLS inspection and reputation scoring for cloud domains:

 Configure Squid proxy SSL bump for Google Drive
http_port 3128 ssl-bump generate-host-certificates dynamic_cert_mem_cache_size=4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

Block non-browser user agents from accessing cloud storage
acl block_ua browser reqheader User-Agent -i ^(?!.(Chrome|Firefox|Edge)).$
http_access deny block_ua

Deploy EDR solutions capable of detecting reflective DLL loading and process hollowing:

 Windows: Monitor for reflective DLL injection via ETW
logman start "ReflectiveDLL" -p {Microsoft-Windows-Kernel-Process} -o "C:\Logs\proc.etl" -ets

Linux: Audit ptrace calls for process injection
auditctl -a always,exit -F arch=b64 -S ptrace -k process_injection

Given that many organizations allow outbound Telegram traffic, examine network behavior patterns that deviate from normal API usage:

 Python script to baseline Telegram API usage
import requests
import json
response = requests.get("https://api.telegram.org/bot<TOKEN>/getUpdates")
if len(json.loads(response.text)['result']) > 100:
print("Suspicious high volume of commands")

For cloud hardening, enforce conditional access policies that block downloads from unmanaged devices or untrusted IP ranges:

 Azure AD Conditional Access PowerShell (restricting Google Drive)
New-AzureADPolicy -Definition @('{"CloudAppSecurity":"enabled","BlockUnmanagedDevices":true}') -DisplayName "Block Unmanaged Cloud Downloads"

To improve defenses, implement micro-segmentation to restrict Office applications from directly accessing the internet without passing through a secure web gateway. Common sources of infection, such as phishing emails, can be mitigated with user training and DMARC enforcement.

 Linux: iptables micro-segmentation for specific process groups
iptables -A OUTPUT -m owner --gid-owner office_sg -j DROP
iptables -A OUTPUT -m owner --gid-owner office_sg -d 142.250.0.0/16 -j ACCEPT  Google only

Implement behavioral analytics to detect anomalous image downloads:

 Splunk SPL query for suspicious PNG downloads
index=web sourcetype=access_combined uri=".png" useragent!="Chrome" useragent!="Firefox" 
| stats count by src_ip, uri
| where count > 10
  1. Incident Response: Extracting C2 Configs from Suspicious Images

Step‑by‑step guide explaining what this is and how to use it.

If you suspect an OilRig compromise or similar steganographic attack, immediately isolate the affected host and capture forensic images of memory (RAM) and disk. Given the fileless nature, memory analysis is critical.

First, capture memory using WinPmem or LiME:

 Windows memory capture
winpmem.exe -o memdump.raw

Linux memory capture (LiME)
insmod lime.ko "path=/root/memdump.raw format=raw"

Next, extract C2 configurations from suspicious images using steghide or custom LSB extraction scripts:

 Attempt extraction with common c2 passphrases
steghide extract -sf suspicious.png -p '' -xf extracted.txt
steghide extract -sf suspicious.png -p 'OilRig' -xf extracted.txt
steghide extract -sf suspicious.png -p '123456' -xf extracted.txt

Python script for raw LSB extraction (no passphrase)
from PIL import Image
img = Image.open('suspicious.png')
pixels = list(img.getdata())
bits = ''
for pixel in pixels[:1024]:
bits += str(pixel[bash] & 1)
 Repeat for each channel

Correlate extracted data with network logs to identify all C2 communications:

 Extract Base64+ XOR from LSB data
cat extracted_data.txt | base64 -d | xxd -p | tr -d '\n'
 Perform XOR decoding with possible keys (e.g., 0xAA)
python -c "data=open('extracted_data.hex').read(); print(''.join(chr(ord(c)^0xAA) for c in data.decode('hex')))"

Containment should include revoking access tokens for compromised cloud accounts and blocking discovered Telegram bot tokens at the firewall. A standard first step is to disable macros organization-wide while conducting a retrospective analysis.

 Windows: Block specific Telegram bot IPs
New-NetFirewallRule -DisplayName "Block Telegram C2" -Direction Outbound -RemoteAddress 149.154.167.0/24 -Action Block

Linux: Add threat intelligence blocklists
sudo iptables -A FORWARD -m iprange --dst-range 149.154.167.0/24 -j DROP

For eradication, remove persistence mechanisms:

 Windows: Delete malicious scheduled tasks
schtasks /delete /tn "MaliciousTaskName" /f

Linux: Remove cron jobs
crontab -r

What Undercode Say:

  • Key Takeaway 1: Cloud credibility is a weapon. Attackers exploit trusted platforms like Google Drive and GitHub to bypass security filters. Monitoring non‑browser cloud access is essential.
  • Key Takeaway 2: Steganography remains highly effective for evading content inspection. Organizations must adopt statistical image analysis and outbound TLS inspection.

OilRig’s shift to fileless, multi‑stage attacks demonstrates a maturing adversary that leverages existing security tooling blind spots. The traditional malware detection model—scanning files on disk—is becoming obsolete. A robust defense requires behavioral analytics, memory monitoring, and strict cloud application control. With the proliferation of encrypted cloud traffic, many teams will need to revisit network visibility strategies to counter this emerging threat.

Prediction:

As steganography tools become more accessible and cloud APIs more ubiquitous, we will see a surge in image‑based C2 channels across multiple threat actors. Organizations will likely adopt image entropy analysis and machine learning anomaly detection for outbound image traffic. The arms race will push adversaries toward AI‑generated cover images that mimic benign statistical distributions, making detection without cloud provider cooperation extremely difficult.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Varshu25 Iranian – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky