OilRig’s Cloud-Steganography C2: How a PNG on Google Drive Became a Covert Command Channel + Video

By /

Listen to this Post

Featured Image

Introduction:

Advanced Persistent Threat (APT) groups are constantly innovating to evade traditional security measures. The recent discovery of an Iranian state-sponsored actor, OilRig (also known as APT34 and Helix Kitten), showcases a sophisticated multi-stage attack that leverages seemingly innocent cloud services to conceal its entire command-and-control (C2) infrastructure. This campaign highlights a dangerous evolution in cyber espionage, where an attacker hides encrypted operational data within the pixels of a common image stored on Google Drive, using a technique known as LSB steganography, to orchestrate attacks from within a victim’s environment without raising any alarms.

Learning Objectives:

  • LSB Steganography Analysis: Understand how Least Significant Bit (LSB) steganography works and how to detect and extract hidden data from image files.
  • Cloud Service Abuse (C2): Analyze how attackers exploit trusted platforms like GitHub, Google Drive, and Telegram for payload delivery, configuration retrieval, and covert communication to bypass network defenses.
  • Memory-Only Execution & Persistence: Detect and respond to fileless malware techniques that run entirely in memory, utilizing native Windows tools (e.g., csc.exe) and scheduled tasks for persistence.

You Should Know:

  1. Anatomy of the Attack Chain: From Phishing to Pixelated Payloads

The OilRig campaign employed a highly evasive, modular attack chain that unfolded in several distinct stages, each designed to bypass specific security controls. Understanding this chain is crucial for building effective defenses.

Step‑by‑Step Guide: Replicating the Attack Chain (for educational and defensive analysis)

Phase 1: Initial Access (Social Engineering)

The attack begins with a spear-phishing email containing a malicious Excel document, typically named “Final List_Tehran.xlsm.” This document leverages a real-world social event—Iran’s national protests occurring from late December 2025 to January 2026—to increase its credibility through urgency and thematic relevance.

Phase 2: Macro Execution and On-Demand Compilation

Once the victim enables macros, the embedded VBA code does not drop a pre-built executable. Instead, it decodes C source code stored in the document’s `CustomXMLParts` section. It then invokes the legitimate Windows C compiler (csc.exe) to compile this source code directly on the target machine, creating a malicious loader DLL (AppVStreamingUX_Multi_User.dll). This technique effectively bypasses application whitelisting solutions that only block known malicious binaries.

Phase 3: Multi-Stage Payload Retrieval (GitHub & Google Drive)
The compiled loader contacts a GitHub account (johnpeterson1304) to download a text file, tamiManager.txt. After Base64 decoding, this file reveals a URL to a Google Drive-hosted PNG image (MIO9.png). This image appears completely benign to standard security tools and the human eye.

Phase 4: LSB Steganography Extraction (The Core C2 Mechanism)
The loader then applies a custom LSB extraction algorithm to the PNG. It reads the least significant bits of each pixel’s color data, which contain an encrypted payload. Following extraction, it performs Base64 decoding and XOR decryption to retrieve the true C2 configuration data. This hidden data includes a Telegram Bot token, a chat ID, and URLs for five distinct malicious modules (m1 through m5) responsible for persistence (pr), file upload (up), file download (do), command execution (cm), and application launch (runApp).

Phase 5: Memory-Only Execution and Persistence

The final modules are loaded directly into system memory, never touching the hard drive, making them invisible to traditional file-based antivirus scans. To survive a reboot, the malware creates a Windows scheduled task that re-launches the loader chain.

2. Detecting LSB Steganography: Tools and Techniques

Detecting LSB steganography requires moving beyond signature-based detection to behavioral analysis. Several open-source tools are available to help analysts identify and extract hidden information from suspicious image files. These tools are invaluable for both blue teams and researchers.

Step‑by‑Step Guide: Using the `zsteg` Tool (Linux)

`zsteg` is a powerful and fast Ruby-based tool specifically designed to detect LSB steganography in PNG and BMP images by analyzing all color channels and bit planes.

  1. Installation on Kali Linux: `sudo apt update && sudo apt install zsteg`
  2. Basic Analysis: To run a quick scan on an image, use: 
    zsteg suspicious_image.png

    This command checks the most common LSB patterns. The output will reveal any embedded strings or data.

  3. Deep Scan: To perform a comprehensive check across all possible methods and channel combinations, use the `-a` flag:

    zsteg -a suspicious_image.png

  4. Extracting Specific Data: If you suspect data is hidden in a specific bit plane (e.g., the first LSB of the RGB channels), you can extract it:

    zsteg -E "b1,rgb,lsb" suspicious_image.png

    This tells `zsteg` to extract from bit-plane 1, across RGB channels, using LSB order. The extracted data can then be piped for further decoding (e.g., `xxd -r -p` for hex conversion, or base64 decoding).

3. Detecting LSB Steganography: Using StegSolve (GUI-based)

`StegSolve` is a popular Java-based graphical tool that allows for manual, visual steganography analysis. It excels at revealing hidden data by letting analysts iterate through different bit planes, a technique known as “bit-plane slicing”.

Step‑by‑Step Guide: Using StegSolve for Visual Analysis

  1. Download and Run: Download the latest `stegsolve.jar` from its official source and run it: java -jar stegsolve.jar.

  2. Load Image: Go to `File` -> `Open` and select the suspicious PNG or BMP file.

  3. Analyse Bit Planes: Navigate to `Analyse` -> Data Extract. A new dialog will appear.

4. Configure Extraction:

Under Bit Planes, you can select individual bits from the Red, Green, and Blue channels. Attackers often embed data in the LSB (Bit 0) of these channels.
For a comprehensive check, systematically toggle the checkboxes for Bit 0 of each RGB channel.
You can also choose the order (e.g., “RGB”, “GRB”) and the bit-plane layout (e.g., “Row”, “Column”).

  1. Preview Extracted Data: Click the `Preview` button. The right-hand panel will display the raw extracted data. If the data appears to have structure (e.g., `MZ` header for an executable, or text), it indicates the presence of hidden content. You can then “Save As” to extract the raw bytes for further analysis.

  2. Network Defense: Detecting Cloud Service Abuse for C2

The core strength of this attack is its abuse of legitimate, highly trusted cloud domains. Traditional blocklisting is ineffective here. Instead, detection must focus on the anomalous content and context of traffic to otherwise trusted services.

Step‑by‑Step Guide: Building Detection Rules with Zeek (Bro) and YARA

1. Monitoring Google API Endpoints:

Security teams must monitor outbound HTTPS traffic to endpoints like `www.googleapis.com` (Google Drive API) and `api.telegram.org` (Telegram Bot API).
Create network signatures to look for specific API endpoints that are not commonly used by standard business applications. For example, the pattern `POST /upload/drive/v3/files` might be a strong indicator of data exfiltration via the Drive API.

2. YARA Rule for Malicious Loader Detection:

Create a YARA rule to detect the unique strings or compiled artifacts found in the malicious loader. A rule signature might look for elements within the binary or the script used to invoke csc.exe:

rule OilRig_CustomCompiler_Loader {
meta:
description = "Detects OilRig loader compiled via csc.exe"
author = "Security Team"
strings:
$git_hub = "johnpeterson1304" ascii wide
$c2_config = "tamiManager.txt" ascii wide
$google_drive_link = "drive.google.com" ascii wide
$xor_key = { 0x 0x 0x } // Replace with actual XOR key from analysis
condition:
any of them
}

3. Windows Event Log Monitoring for Suspicious Compilation:

Monitor for execution of `csc.exe` (Microsoft C compiler). While not malicious on its own, an instance of `csc.exe` launched from a temporary or unusual directory (e.g., %TEMP%) by a Microsoft Office application is highly suspicious.
Enable command-line auditing to capture the full arguments passed to csc.exe, which may reveal the names of temporary source files.

4. Network Traffic Analysis:

Pay close attention to beaconing patterns. While the attackers used Telegram for polling, the cyclic retrieval of a static image from Google Drive can create a predictable and detectable pattern over time.
Use EQL (Event Query Language) to create sequences. For example, a sequence of: Process Start (WINWORD.EXE) -> File Write (.cs) -> Process Start (csc.exe) -> Network Connection (.googleapis.com).

5. Mitigation Strategies: Hardening Against Stealthy APTs

Preventing attacks like this requires an integrated defense-in-depth strategy that reduces the attack surface and provides visibility into blind spots.

Step‑by‑Step Guide: Implementing Technical Controls

  1. Disable or Restrict Macros: The most effective control is to block all macros from running in Office documents that originate from the internet. Implement Group Policy Objects to enforce this and use Windows Defender Exploit Guard (WDEG) to block Win32 API calls from Office applications.

  2. Application Control: Deploy application whitelisting (e.g., Windows Defender Application Control, WDAC). While the attack used a legitimate Microsoft binary (csc.exe), WDAC can restrict the locations from which code can be executed. You can block script engines and compilers from being invoked from untrusted directories like `%TEMP%` or %APPDATA%.

  3. Data Loss Prevention (DLP) for Cloud APIs: Implement a Cloud Access Security Broker (CASB) or DLP solution. These tools can inspect API calls to services like Google Drive, even when traffic is encrypted. A DLP policy can be configured to alert or block uploads of suspicious file types (e.g., DLLs, executables) or data patterns to unverified or external Google Drives.

  4. Endpoint Detection and Response (EDR) with Behavioral Rules: EDR is essential. Create custom detection rules that look for:

A Microsoft Office process spawning `csc.exe`.

`csc.exe` compiling code from a temporary directory.

A newly created `schtasks.exe` entry with a name correlating to a known malicious DLL (e.g., AppVStreamingUX_Multi_User).

  1. DNS Tunneling Detection: Implement DNS-layer security to filter C2 domains. While the C2 itself is hidden, the initial stages rely on specific GitHub and Google Drive URLs. A DNS filtering solution can block access to known malicious repositories and enforce strict policies on personal cloud storage usage.

What Undercode Say:

  • Trust is the Attacker’s New Best Friend: OilRig’s campaign is a masterclass in “living off trusted services.” By abusing Google Drive, GitHub, and Telegram, they effectively hide in plain sight. Traditional perimeter defenses are blind to these threats, forcing a shift in focus to API-level monitoring and behavioral analysis.
  • Visibility is the Only Defense: The key takeaway is that SIEM and EDR are no longer optional—they are the new perimeter. The failure to detect `csc.exe` compiling an unknown binary or a suspicious scheduled task directly enables the entire attack chain. Security teams must prioritize detection engineering for these types of process anomalies rather than focusing solely on static file signatures. The geopolitical implications of this attack are clear: state-sponsored espionage is becoming commodity-grade in its ability to evade detection, making critical infrastructure a constant target.

Prediction:

The blending of steganography with legitimate cloud APIs will likely become the new standard for advanced threats. We predict a rise in “malware-as-code” kits on the dark web that trivialize this technique, lowering the barrier for less sophisticated attackers. In response, cloud providers will be forced to implement more aggressive rate-limiting and anomaly detection on their own APIs, leading to a new offensive-defensive arms race fought within the API endpoints themselves.

▶️ Related Video (80% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Cybersecuritynews Gbhackers – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: