SAN FRANCISCO – Researchers are warning of an uptick in the malicious use of steganography as a vehicle for delivering malware. Steganography, they say, is increasingly becoming a go-to tool for cybercriminals not just for infection, but also command-and-control, data exfiltration and as an encryption alternative to sending secret messages.
Simon Wiseman, chief technology officer of Deep Secure, outlined the latest steganography threats and tactics here at the RSA Conference, saying that “stegware” hacking tools are now common on Dark Web hacker forums – suggesting an uptick of threats used in the wild.
“These tools are now standard features on hacker forums,” Wiseman said. “Previously, only talented criminals knew how to make their own stegware. Now these tools have filtered down the food chain for any criminal to buy and use.”
For years, steganography has existed as a rare threat when it comes to malware delivery. In 2016, the Sundown exploit kit used PNG files to hide exploit code using steganography. But over the past year researchers say steganography has been used in malware programs and cyberespionage tools going by the names of Microcin, NetTraveler and Invoke-PSImage.
“It used to be used by terrorists to communicate without anyone knowing what was being said. Now it’s about hackers using it to hide from detection defenses,” Wiseman said. “They might be hiding dangerous code, a command-and-control channel or using it to exfiltrate sensitive data without detection.”
In a separate report by IBM X-Force, in November researchers identified three malware samples in network attacks containing cryptocurrency CPU-mining tools hidden within fake image files. It estimates a six-fold increase in the use of steganography to hide embedded mining tools in images.
In August, Kaspersky Lab researchers reported seeing steganography used in updated versions of trojans Zerp, ZeusVM, and Triton.
Steganography was also used in the PyeongChang Winter Olympics attacks in February. According to McAfee researchers, “the attackers used the open-source tool Invoke-PSImage, released December 20, to embed the PowerShell script into (an) image file.”
One example outlined by Wiseman on Wednesday included a single pixel containing a PowerShell script that can execute upon opening within a browser. The technique employs splitting malicious code into two pieces and then bootstrapping them back together when the image is opened.
“All that’s needed is a webpage containing a JavaScript and an image tag to load the malicious pixel. After the image is rendered on the browser’s canvas the JavaScript can access the hidden content inside the image. Eventually, the PowerShell interpreter gets to the end and the ‘unsafe’ script runs,” Wiseman said.
Another example involved cybercriminals using Twitter as a C2 to send instructions via malicious images packed with code destined for malware hosted on a device.
“Stegware can be used in a command-and-control scenario where an attacker hides a command inside an image using steganography. First, they compose a tweet and include that image along with a specific hashtag and send it off,” Wiseman said. “Meanwhile malware running on the infected device is trolling Twitter for tweets with the specific hashtag. When the tweet arrives, the malware is able extract the image and then decode the steganography and execute the instructions.”
In this scenario, images and Twitter traffic don’t appear suspicious, which makes the detection of data infiltration and exfiltration a difficult task. Wiseman notes steganography isn’t limited to images, but can also employ a myriad of file types such as video, audio and even text when converted into hexadecimal format.
Mitigating against such attacks is difficult requiring concerned firms to adopt measures that include “washing” images or employing commercial tools and services that can detect the use of steganography where traditional AV has a harder time.