InfoSec Insider

Malware Payloads Hide in Images: Steganography Gets a Reboot

stepanography APT

Low-key but effective, steganography is an old-school trick of hiding code within a normal-looking image, where many cybersecurity pros may not think to look.

One of the challenges of cybersecurity is that overfocusing on one threat trend means that another one can sneak up on you. This is especially problematic as our networks and the attack surface expands. Beyond threat vectors, though, we also need to pay attention to the entire spectrum of threat techniques and strategies. So while we are preparing our networks for the next zero-day threat, we need to make sure that we are keeping a lid on familiar exploits.

Cybercriminals are especially fond of using existing malware in new ways for a number of reasons, the most common being economic. It is much cheaper to tweak an existing exploit than invent something new, and if done right, that tweak can slip past existing defenses right under the noses of cyberprofessionals. A recent Fortinet report found that one of these threats in need of monitoring is the recent revival of the “old school” trick of steganography.

Watch Out for Steganography

For as long as communication has existed, humans have wanted to keep some communications secret. Cryptography is the most well-known of the ancient clandestine arts, but steganography has a long and storied history as well. Steganography is a cryptographic technique of hiding something – a message, code, or other content – within something else, such as a digital photograph or video, allowing it to be passed along in plain sight. Steganography was most prevalent more than a decade ago as a means for delivering malware to a victim, but recent developments are breathing new life into this old type of attack.

These days, security professionals most commonly run into steganography as part of Capture the Flag (CTF) competitions. A recent example comes from the 2018 Hacktober.org CTF event, where the flag “TerrifyingKitty” was embedded in an image. This strategy is clever, in part, because the technique is old enough that many younger security professionals don’t even consider it when looking to solve a problem.

Steganography can be used for more than fun and games, however. Cyberthreat actors have once again begun to incorporate this technique into various aspects of their schemes and wares. Recent examples include the Sundown Exploit Kit and the new Vawtrak and Gatak/Stegoloader malware families.

One of the reasons steganography fell out of favor is that it typically cannot be used in high-frequency threats (although the botnet Vawtrak made the list of botnets with the most bursts of activity during the fourth quarter of 2018). Because these threats are limited to a specific delivery mechanism, they generally do not achieve the high volumes that cybercriminals are looking for—Vawtrak never exceeds a dozen firms in one day. So when FortiGuard Labs researchers observed a surge in malware samples using steganography to conceal malicious payloads in memes passed along on social media, their curiosity was piqued, and they did some reverse-engineering on the code to see what was happening.

Like just about every other malware, the malware embedded in these memes starts by attempting to contact a command-and-control (C2) host, which then downloads additional code or commands associated with an attacks. That’s where this one gets interesting.

Rather than receiving commands directly, the malware is instructed to look for additional images in the associated Twitter feed, download those images, and then extract commands hidden within those images to propagate its malicious activity. It does this by searching for image tags with modified values containing commands such as /print (screen capture), /processes (write a list of running processes), and /docs (write a list of files from various locations).

This approach is ingenious because most security processes have been focused on identifying and thwarting communications and commands sent between an infected device and a C2 server. This unique undercover approach demonstrates that our adversaries continue to experiment with how they can advance their purposes without being detected, in this case, through images shared on social media, as well as the limitations of our generally two-dimensional approach to security.

So, even though steganography is a low-frequency attack vector, cybercriminals have figured out how to employ it in a manner that enables them to leverage the prevalence and rapid growth of social media to deliver a malicious payload. In this case, an attack vector that starts small – even outside of the corporate network – can rapidly expand in circumference.

The challenge is that there is no way to focus on the entire attack spectrum. As the old adage goes, the bad guys only need to be right once; you need to be right every single time. Although security professionals certainly need to guard against such innovative attacks with ongoing cybersecurity awareness training, they also need to ensure that they have transparent visibility across their entire attack surface. For many organizations, that requires rethinking and reengineering their security infrastructure.

Although a growing list of indicators of compromise can be used to detect malicious steganographic code, for the most part, steganographic attacks arrive as zero-day threats. This makes access to up-to-date threat intelligence and behavior-based analytics, combined with automation and AI to respond to threats at digital speeds, important components in any effective defense against steganographic threats.

Recommendations for Stronger Security

Looking back at data from 2018 reveals that to effectively combat today’s ever-evolving threats, you need to break down siloes and bring many traditionally disparate security tools together to establish a collaborative approach that can help you see everything that’s coming at your network.

With the volume, velocity, and variety of modern threats increasing, standalone devices and platforms are rapidly becoming inadequate and ineffective. Organizations need a more unified approach that makes it practical for security teams, large or small, to achieve and maintain a competent security posture.

A unified defense posture helps companies detect known and unknown threats at multiple layers throughout the entire distributed environment. And when combined with an internal network segmentation strategy, organizations can not only better detect but also automatically contain threats looking to expand laterally across the network.

In the case of the threat discussed here, a strong countersteganographic kill chain needs to include tools that:

  • Use threat intelligence to stay current with steganographic and other threat innovations.
  • Observe and test suspected steganographically obscured malware.
  • Inspect applications and other code that might conceal malicious content.
  • Block known steganographic message traffic.
  • Expedite and prioritize vulnerability patches, updates, and policy controls.

Organizations need to keep informed about and track popular and successful threats to protect their networks against application exploits, malicious software, botnets, and zero-day vulnerabilities such as steganography. There’s never a dull moment in cybersecurity; IT teams must constantly stay abreast of the latest threats, including older threats that are reappearing in new forms, to keep their network secure.

(Derek Manky is Chief of Security Insights and Global Threat Alliances at Fortinet. He has more than 15 years of cybersecurity experience and helps customers formulate security strategy.)

Suggested articles

Discussion

  • Odd on

    How does the code get executed? Is there a weakness in Twitter's parsing of images that makes the code in the image execute?
  • Tom Updegrove on

    Derek, Great article. It definitely raises awareness about the simple but insideous method. Stegano-exlploitatiion has been around for years, It's use as an attack vector in ingenious. Most think "how can you exploit someone with a media file". Thanks for the article.
  • AAAA on

    @Odd This is not a vulnerability with Twitter, and no the images are not executing. Malware already present on a device is reaching out to retrieve the image, parsing data hidden inside of it, and the malware executes commands on the already compromised system.
  • Rick Spickelmier on

    No execution, just a covert channel for getting the code and/or commands down to the client. Hiding in plain sight in a twitter feed (not caught by standard scanning).

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.