Attackers Embracing Steganography to Hide Communication

Encouraged by patterns carried out on a larger scale recently, researchers believe digital steganography has arrived as a legitimate way to hide communication.

Encouraged by patterns carried out on a larger scale recently, researchers believe digital steganography has arrived as a legitimate method for attackers to use when it comes to obscuring communication between command and control servers.

In a presentation last week at Black Hat Europe researchers with Crowdstrike and Dell SecureWorks cited a handful of campaigns that depend on steganography that have flourished lately.

Steganography, or the art of hiding information inside media, isn’t a particularly new concept, but the researchers claim that malware programmers and operators appear taken with the technique as of late.

Pierre-Marc Bureau, a senior security researcher at Dell SecureWorks and Dr. Christian Dietrich, a senior researcher with Crowdstrike, say one of the most recent examples can be found in an instance of “Foreign,” a DDoS tool the two looked at recently which relies on messages hidden in HTTP error messages. The tool parses the page, which appears to be a generic 404 page at first glance, but actually contains a C2 command, hidden from the human eye.

The command – encoded using Base64 and stored between HTML comment tags – prompts the bot to download a file from a given URL.

The tool is the latest entry to a growing field of malware that excels at communicating via a stealthy C2 channel.

Again, Bureau and Dietrich insist the technique as a whole isn’t new, but that the method has grown more sophisticated lately. The two also discussed how three malware families – Lurk, Gozi, and Stegoloader – have also leveraged the technique over the past several years.

Lurk, malware that downloads click fraud malware, was spotted in 2014 hiding the URL where it grabs content from in a .BMP image. Gozi, known for perpetrating bank fraud, began using steganography at the beginning of this year “as a backup mechanism to retrieve URLs where it could download its configuration file.” The malware encrypts information in a favicon.ico file hosted on TOR.

Researchers with SecureWorks first described the Stegoloader malware, which operates in a similar fashion to Lurk, earlier this year. The malware relies on a deployment module that grabs a PNG file that contains malware. Once dropped, the malware is mostly used to steal system information but can also be used to load additional modules that access documents, list installed programs, steal browser history,  and drop more malware that steals passwords, Pony.

Suggested articles