A cybersecurity researcher named Xavier revealed the discovery of another cleverly concealed payload using steganography techniques.
The image in question, distributed from the URL hxxps://zynova[.]kesug[.]com/new_image.jpg, was found to contain a hidden malicious file appended to a standard JPEG image.
This technique leverages the properties of image file formats and basic obfuscation strategies to evade detection by conventional antivirus systems.
Dynamic Analysis Confirms Hidden Data
Researchers opting for dynamic analysis, as opposed to static inspection, observed that the image file was not just an ordinary JPEG.
Utilizing the forensic tool jpegdump.py, they analyzed the file structure and observed that there was unexpected data appended after the JPEG’s End Of Image (EOI) marker.
This trailing data did not correspond to standard image content and suggested the presence of an embedded payload, a classic steganographic maneuver. Upon closer inspection, the payload exhibited a peculiar signature.
The data started with “TVqQ,” which Xavier identified as a BASE64 encoding of “MZ,” the magic header found at the start of Windows PE (Portable Executable) files.
According to the Report, this confirmed suspicions that a Windows executable was concealed within the image.
However, an unusual aspect caught the analysts’ attention: the appearance of the ‘@’ character within what otherwise appeared to be BASE64-encoded data. Normally, BASE64 encoding does not use this character.
Payload Extraction
To further probe the anomaly, analysts turned to the tool byte-stats.py to perform a statistical breakdown of character usage within the payload.
This analysis revealed that every alphabetical character except ‘A’ was present, strongly hinting that ‘@’ had been deliberately substituted for ‘A’ as part of the obfuscation effort.
Such a substitution disrupts basic string-matching and signature-based detection methods employed by security software.
By hypothesizing and confirming that ‘@’ replaced ‘A’ in the encoded data, the analysts were able to revert the substitution and reconstitute the original BASE64 string.
Next, using base64dump.py, they successfully decoded this string to reveal a binary sequence beginning with ‘MZ’, unmistakably marking the start of a Windows PE file specifically, a .NET DLL.
This DLL file, once extracted, was found to match the hash value published by Xavier, substantiating both the method and the findings.
This incident underscores the persistent evolution of steganographic and obfuscation techniques in cyberattacks.
By appending malicious executables to seemingly benign images and obfuscating the payload using nonstandard BASE64 substitutions, attackers can bypass many traditional detection mechanisms.
Such techniques require analysts to combine both forensic toolkits and creative thinking during malware analysis, especially when anomalous data signatures and unexpected encoding are present.
The case also highlights the utility of specialized tools like jpegdump.py for dissecting file formats, and the importance of statistical and pattern analysis in uncovering subtle data manipulations.
As attackers continue to employ clandestine tactics leveraging file format peculiarities and encoding schemes, security professionals must remain vigilant and continually update their analytic strategies to detect and neutralize emerging threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
