New IDAT Loader Attacks Using Steganography to Deploy Remcos RAT

Morsphisec researcher Michael Dereviashkin has released more details on a phishing campaign disclosed in January by Ukraine’s CERT-UA where threat actors were observed using war-themed lures to deliver Remcos Remote Access Trojan to targeted victims. In this case, Dereviashkin notes that these lures initiate an infection chain that leads to the deployment of IDAT loader, which in turn uses an embedded steganographic PNG to locate and extract the Remcos trojan. For its part, IDAT loader was first uncovered by Rapid7 back in July, 2023 and employs various techniques such as dynamic loading of Windows API functions, HTTP connectivity tests, process blocklists, and syscalls to help evade detection. In the past, the malware has been used by cybercriminals to load various payloads including Danabot, SystemBC, and Redline Stealer.

Security Officer Comments:
Since its initial release, IDAT loader has been constantly updated to include new capabilities and avoid detection, making it an attractive tool for threat actors looking to successfully deploy their malicious payloads. The use of steganography by IDAT loader, a tactic that involves embedding malicious code with an image or video, is not novel. This tactic is commonly used by actors to obfuscate their payloads and make detection difficult. IDAT in particular gets its name as the payload is stored in the IDAT chunk of the PNG file.

Suggested Corrections:
Given that phishing remains an initial infection vector used by actors to deploy loaders like IDAT, users should be careful not to open links or attachments that come from unknown senders. CERT-UA has also published a set of IOCs that can be used for detection purposes. Please use the link down below to access these indicators: