APT-C-20 Hackers Use PNG Images to Deliver Fileless C# Backdoor
Key Takeaways APT-C-20, also known as APT28 or Fancy Bear, is employing an advanced fileless attack technique. The group embeds C# shellcode within seemingly innocuous PNG image files using...
Key Takeaways
- APT-C-20, also known as APT28 or Fancy Bear, is employing an advanced fileless attack technique.
- The group embeds C# shellcode within seemingly innocuous PNG image files using steganography.
- The attack primarily targets government and diplomatic entities, particularly those related to Eastern European defense.
- The fileless nature of the C# backdoor makes it significantly harder for traditional antivirus solutions to detect.
- Communication with the command-and-control server is routed through the cloud storage service Filen.io, enhancing stealth and resilience.
A sophisticated hacking group, identified as APT-C-20 (also known as APT28 or Fancy Bear), has been observed deploying a cunning new method to bypass conventional security defenses. The group is leveraging ordinary PNG image files to conceal and deliver a fileless C# backdoor, making detection exceptionally challenging for standard security tools.
Table Of Content
This innovative approach allows the threat actors to execute malicious code directly in memory without writing any executable files to disk. This significantly reduces their digital footprint, enabling them to maintain stealth and persistence within compromised networks.
The Advanced Attack Chain
The campaign initiates with a weaponized Microsoft Word document, named readme.docm, delivered as an email attachment. This document, remarkably small at just 469 bytes, initially displays garbled text, prompting the victim to enable macros to view its content. The lure is meticulously crafted to appear as a defense-related file pertaining to an Eastern European government, exploiting geopolitical interests to entice targets.
Upon enabling macros, the document executes a series of hidden actions. The encrypted macro first performs environmental checks to evade analysis tools, then drops a malicious DLL (dnxstore.dll) and a seemingly legitimate PNG image (EdgeLogo.png) into a ProgramData folder. Crucially, the macro establishes persistence by redirecting a built-in Windows COM class registry key to point to the malicious DLL. This technique, known as COM hijacking, ensures that when Windows Explorer attempts to initialize the legitimate COM object, it inadvertently loads the attacker’s malicious code instead, thereby operating under the guise of a trusted Windows process.
Once loaded, dnxstore.dll conducts further checks, verifying its execution within explorer.exe and employing time-delay mechanisms to detect sandbox environments. If these checks pass, it proceeds to open EdgeLogo.png. This image, which visually resembles a standard Microsoft Edge icon, secretly harbors encrypted shellcode using least significant bit (LSB) steganography. The DLL then extracts an encryption key, along with hidden salt and initialization vector values embedded within the image’s pixels, to decrypt a small header that details the location of the true payload.
The Fileless C# Backdoor Payload
Following the metadata extraction, the loader retrieves the encrypted shellcode from the image pixels, decrypts it, and executes it entirely in memory. This eliminates the need for the payload to be written as a file on the disk, a critical feature for its fileless nature. This shellcode then reflectively loads the final stage payload, a C# backdoor named Publish.exe. This backdoor is heavily obfuscated to hinder reverse engineering and analysis efforts.
Once operational, the C# backdoor generates a unique identifier for the victim using their username and domain name. It then compiles system information into a JSON message, encrypts it, and exfiltrates it. Rather than communicating with a traditional command-and-control (C2) server, the backdoor utilizes Filen.io, a cloud storage service, for its C2 communications. It employs multiple backup gateways (e.g., gateway.filen.io, gateway.filen.net) to ensure resilience and maintain connectivity even if one node becomes unavailable. The backdoor remains dormant, awaiting further instructions, exchanging encryption keys with the operator, and dynamically loading additional code as directed.
Analysts from 360 said in a report that their tracking of APT-C-20 activities led to the discovery of this campaign, noting that the group’s tactics, techniques, and procedures (TTPs) align closely with their established historical operations. Their research highlights the attackers’ use of multiple layers of deception, including macro encryption, hidden registry modifications, and image-based steganography, all designed to prolong the infection’s invisibility.
The implications of this campaign are substantial, particularly given APT-C-20’s history of espionage and its targeting of sensitive government and diplomatic entities with highly convincing lures. The fileless nature of the backdoor poses a significant challenge for traditional signature-based antivirus solutions, requiring defenders to implement more advanced behavioral detection mechanisms rather than relying solely on file scanning.
What You Should Do
- Exercise Extreme Caution with Email Attachments: Treat unexpected macro-enabled documents, especially those from unfamiliar senders, with the highest level of suspicion. Enable macro execution only when absolutely necessary and from trusted sources.
- Implement Advanced Endpoint Detection and Response (EDR): Traditional antivirus may miss fileless threats. Deploy robust EDR solutions capable of behavioral analysis to detect suspicious activities like COM hijacking and in-memory code execution.
- Monitor Unusual Process Behavior: Pay close attention to unusual activity originating from legitimate Windows processes like
explorer.exe, particularly when it involves loading DLLs or making unexpected network connections. - Network Traffic Monitoring for Cloud APIs: Monitor network traffic for unusual connections to cloud storage services and APIs (e.g., Filen.io, Dropbox.com) that are not part of legitimate organizational workflows.
- Regular Security Awareness Training: Educate users about phishing tactics, social engineering, and the dangers of enabling macros in untrusted documents.
- Review and Enforce Macro Security Policies: Configure Microsoft Office applications to disable macros by default or to only allow digitally signed macros from trusted publishers.
- Utilize Threat Intelligence: Integrate and leverage the provided Indicators of Compromise (IoCs) within your security information and event management (SIEM) systems and threat intelligence platforms for proactive detection.



No Comment! Be the first one.