Do you recall the C2 group exfiltrating data we were tracking last year? Well, as it turns out, we’ve managed to corroborate their activities with APT-47 nicknamed ‘The Engineers’. Their operations span across a wide range of industries, including disrupting SCADA systems and stealing corporate data.
Recently, they’ve been leaking unreleased tracks from various media groups. A Canadian firm, which suffered a fresh leak, has requested us to take a look. Over the past few days, our analysts have combed through network data trying to identify which computers or servers may have been compromised and used.
In order to bypass detection from IDS/DLP signatures, we think they’re somehow extracting these tracks by hiding them in existing music videos so it blends in with usual traffic. We’ve attached a video that we believe is going to one of their IP addresses, can you take a look?
We are given an mp4 file that is 46MB. Looking at the file using a hex editor, we see that there is a password on the bottom that we will need for later:
I couldn’t find anything interesting for this mp4. There was a MySQL index file, JPEG and PNG using binwalk but the challenge creator confirmed this was a false positive. So looking up video steganography techniques, I found one option that uses a rare technique (indicated by the challenge creator) : TCSteg
It turns out that TCSteg involves adding a hidden volume in an mp4 file. So trying this out, I looked for tools that can open hidden volumes. One option was TrueCrypt but it was discontinued around 2014. So the other option was the updated version: VeraCrypt.
Using VeraCrypt, we are able to use the password we found: guitarmass
Looking at the A: drive, we see an image displaying our flag: