SoS Musings #64 - Steganography: An Attack Hiding in Plain Sight

SoS Musings #64 -

Steganography: An Attack Hiding in Plain Sight

The practice of steganography is a growing attack vector for cybercriminals. One of the ways malicious actors try to fly under the radar is through the performance of steganographic techniques, which in cybersecurity refers to concealing a secret message or data within a seemingly innocuous image, video, audio, or text file. This technique can be used by hackers to conduct malicious activities, such as installing malware, and ultimately compromise enterprise networks. Steganography differs from cryptography in that the latter uses advanced cryptographic algorithms to make a message or file unreadable to anyone who does not have the decryption key. Steganography, on the other hand, conceals information in plain sight so that an unsuspecting observer is unaware that a secret is hidden in what they are seeing.

There are many other examples of how hackers can use steganography to conceal malicious code and other secret information. MyKings is a botnet that has targeted Windows-based servers hosting services, including MySQL, MS-SQL, Telnet, SSH, IPC, WMI, and more. The countries with the highest population of MyKings-infected hosts include China, Taiwan, Russia, Brazil, India, Japan, and the US. The botnet attacks as if it were competing in a Capture-the-Flag (CTF) event. It establishes a beachhead, clears out any traces of the competition, removes any indicators of competing malware families, and secures the door it used for infiltration. The actors behind this botnet prefer to use open source or other public domain software and are capable of customizing and improving existing source code. For example, the botnet experimented with steganography, concealing malware payloads in plain sight by storing the file in an image of Taylor Swift. A Windows malware executable was found within the image data of a modified ".jpg" photo of the singer. The operators of MyKings uploaded this seemingly innocuous image file to a public repository and then used it to deliver an update to the botnet. Researcher and programmer David Buchanan disclosed a steganographic method of hiding up to 3 MB of data inside a Twitter image. During his demonstration, Buchanan displayed MP3 audio files as well as ZIP archives contained within PNG images hosted on Twitter. The fact that the images can be hosted on a popular website like Twitter and are not sanitized opens the door for malicious actors to exploit them. Although the attached PNG files hosted on Twitter appear to be valid images when previewed, simply downloading and changing their file extension resulted in different content from the same file. The 6 KB image tweeted by Buchanan contained an entire ZIP archive with his source code that anyone can use to insert miscellaneous contents into a PNG image. In another example, Buchanan tweeted an image that would start playing the song "Never Gonna Give You Up" by Rick Astley when downloaded, saved with a ".mp3" extension, and opened in VLC. Buchanan emphasized that while Twitter compresses images most of the time, there are some exceptions. Twitter also attempts to remove any non-essential metadata to make any existing 'polyglot file' techniques ineffective. However, Buchanan found that the data can be added to the end of the 'DEFLATE' stream (i.e., the part of the file that stores the compressed pixel data), so Twitter will not strip it. The researcher's PNG technique could be used by malware to facilitate Command-and-Control (C2) activities. Since network monitoring systems may consider Twitter to be a safe host, malware distribution via Twitter using such image files remains a viable method of evading security programs. On December 26, 2019, a security researcher revealed the first publicly documented payment card web skimmer to use steganography. The researcher discovered that the skimmer was using what appeared to be a free shipping ribbon, which is common on e-commerce websites. A closer inspection of the image, however, revealed that the file contained malicious JavaScript code immediately after the file marker, which was then in charge of the credit card skimming functionality.

Researchers are continuing efforts to detect and prevent attacks involving steganographic techniques. For example, a paper titled "Prevention of Hidden Information Security Attacks by Neutralizing Stego-Malware," proposes a Stegware Neutralization model with the goal of creating a ubiquitous mechanism to easily counter hidden information attacks, regardless of the obfuscation techniques used. The proposed system has three major phases: steganalysis, location finder, and neutralization. The presence of obfuscated items hidden inside the digital medium is identified during the steganalysis phase. The location finder phase pinpoints the exact location of the hidden payloads. The location of the hidden item is neutralized using a nonlinear transfer function during the neutralization phase. The proposed system's effectiveness was evaluated by analyzing various image files obtained from benchmarked database sources while looking for obfuscated malicious codes. A subset of malware codes was gathered from business Application Programming Interfaces (APIs) such as VirusTotal. The experimental results showed that the proposed system outperforms existing systems in terms of malware detection accuracy, ranging from 90 percent to 96 percent at various embedding rates (10 percent to 50 percent). Furthermore, the system can neutralize the hidden malware it detects. According to the researchers, their system, on average, neutralizes 97 percent of malware hidden in images. In another study, "Detection of the Information Hidden in Image by Convolutional Neural Networks," researchers also demonstrate the possibility of detecting hidden information in images through the use of Convolutional Neural Networks (CNNs), which could be applied in cybersecurity. According to the researchers, using Artificial Neural Networks (ANNs) to detect hidden information in images involving blind methods is convenient. CNNs are widely used in image processing, especially in object recognition, and are typically composed of three types of layers: convolutional layers, subsample layers, and perceptron layers. This approach, however, spreads out when the object being classified occupies a significant portion of the image. It is a small change in the brightness of a pixel that is invisible to the human eye when information is embedded in an image. The CNN architecture they developed is capable of extracting information embedded in images with high probability. Their neural network can work with images of any resolution and size. Such research and development efforts must continue to be made to analyze and prevent the adversarial use of steganographic techniques involving various media types to launch cyberattacks or deliver malicious data.

Threat actors will constantly try to change their tactics and apply different methods to achieve their goals and avoid being caught. The effectiveness of steganography is not to be underestimated as it can be used by hackers to avoid detection or communicate privately while using public networks. An image is one of the most commonly used file types to conceal malicious code and information since it often piques no interest among security defenders, and most security tools do not flag such file types. It is essential to know about the application of steganography in cyberattacks to take action to prevent them. Stopping hackers performing steganographic techniques requires rapid detection and response, which can be enhanced through further research by the Science of Security (SoS) community.