VI Reflections: Steganography Attacks and Defenses

By grigby1

The practice of steganography is a growing attack vector for cybercriminals. One of the ways malicious actors try to fly under the radar is through the performance of steganography techniques that cybersecurity experts refer to as concealing a secret message or data within a seemingly harmless image, video, audio, or text file. Hackers can use this method to conduct malicious activities, such as installing malware, and ultimately compromise networks. Cryptography differs from steganography in that it uses advanced cryptographic algorithms to make a message or file unreadable to anyone who does not have the decryption key. Steganography, on the other hand, conceals information in plain sight so that an observer is unaware that a secret is hidden in what they are seeing.

The "MyKings" botnet applied steganography, concealing malware payloads in plain sight with an image of Taylor Swift. It targeted Windows-based servers hosting services, including MySQL, MS-SQL, Telnet, SSH, IPC, WMI, and more, with China, Taiwan, Russia, Brazil, India, Japan, and the US having had the most MyKings-infected hosts. A Windows malware executable was found within the image data of a modified JPG image of the singer. The operators behind MyKings uploaded this seemingly innocuous image file to a public repository and then used it to deliver an update to the botnet.

Researcher David Buchanan disclosed a steganography method that hid up to 3 MB of data inside an image on Twitter, now known as X. Buchanan hid MP3 audio files and ZIP archives in PNG images hosted on Twitter. Unsanitized images hosted on such a popular social media site open the door for malicious actors to exploit them. Although the PNG files hosted on Twitter appeared to be valid images when previewed, simply downloading and changing their file extension resulted in different content from the same file. A 6 KB image posted by Buchanan contained an entire ZIP archive with source code that anyone can use to insert miscellaneous contents into a PNG image. In another example, Buchanan posted an image that would play "Never Gonna Give You Up" by Rick Astley when downloaded, saved with a ".mp3" extension, and opened in VLC. The researcher's technique could be used by malware to facilitate Command-and-Control (C2) activities.

Ukrainian entities in Finland were targeted as part of a malicious campaign involving steganography that distributes the "Remcos" Remote Access Trojan (RAT) through a malware loader called "IDAT Loader." The campaign has been attributed to the threat actor tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as "UAC-0184." IDAT Loader, which overlaps with "Hijack Loader," has served "DanaBot," "SystemBC," and "RedLine Stealer." The attack chain starts with a phishing email appearing to come from Ukraine's 3rd Separate Assault Brigade or the Israel Defense Forces. Opening the shortcut file attachment triggers an infection chain that launches an executable, which then activates IDAT Loader. IDAT Loader extracts the encoded payload embedded in a malicious PNG image file, decrypts it, and executes it in memory.

The threat actor TA558's campaign dubbed "SteganoAmor" leveraged steganography techniques by hiding malicious code inside images. Researchers at Positive Technologies identified over 320 attacks in this campaign impacting different sectors and countries. The campaign’s attacks start with phishing emails containing seemingly harmless Excel and Word files that exploit a commonly targeted Microsoft Office Equation Editor vulnerability fixed in 2017. The emails are sent from compromised SMTP servers to prevent the messages from getting blocked as they come from legitimate domains. If an outdated version of Microsoft Office is installed, the exploit will download a Visual Basic Script (VBS) from the legitimate 'paste upon opening the file. ee' service. This script is executed to fetch a JPG file containing a base-64 encoded payload. PowerShell code in the image's script downloads the final payload, which is hidden inside a text file in the form of a reversed base64-encoded executable. Positive Technologies observed different variants of the attack chain that deliver "AgentTesla," "FormBook," "LokiBot," and other malware families.

Researchers are continuing efforts to detect and prevent attacks involving steganography techniques. For example, a paper titled "Prevention of Hidden Information Security Attacks by Neutralizing Stego-Malware," proposes a "Stegware Neutralization" model with the goal of creating a ubiquitous mechanism to easily counter hidden information attacks, regardless of the obfuscation techniques used. The proposed system has three major phases: steganalysis, location finder, and neutralization. The presence of obfuscated items hidden inside the digital medium is identified during the steganalysis phase. The location finder phase pinpoints the exact location of the hidden payloads. The location of the hidden item is neutralized using a nonlinear transfer function during the neutralization phase. The proposed system's effectiveness was evaluated by analyzing various image files obtained from benchmarked database sources while looking for obfuscated malicious codes. A subset of malware codes was gathered from business Application Programming Interfaces (APIs) such as VirusTotal. The experimental results showed that the proposed system outperforms existing systems in terms of malware detection accuracy, ranging from 90 percent to 96 percent at different embedding rates (10 percent to 50 percent). Furthermore, the system can neutralize the hidden malware it detects. According to the researchers, their system, on average, neutralizes 97 percent of malware hidden in images.

In another study, "Detection of the Information Hidden in Image by Convolutional Neural Networks," researchers also demonstrate the possibility of detecting hidden information in images through the use of Convolutional Neural Networks (CNNs), which could be applied in cybersecurity. According to the researchers, using Artificial Neural Networks (ANNs) to detect hidden information in images involving blind methods is convenient. CNNs are widely used in image processing, especially in object recognition, and are typically composed of three layers: convolutional layers, subsample layers, and perceptron layers. This approach, however, spreads out when the object being classified occupies a significant portion of the image. It is a small change in the brightness of a pixel that is invisible to the human eye when information is embedded in an image. The CNN architecture they developed is capable of extracting information embedded in images with high probability. Their neural network can work with images of any resolution and size. Such research and development efforts must continue to be made to analyze and prevent the adversarial use of steganography techniques involving various media types to launch cyberattacks or deliver malicious data.

Threat actors constantly switch tactics to achieve their goals and avoid detection. Hackers can use steganography to hide their activities or communicate privately. Understanding the application of steganography in defense evasion is crucial for developing effective countermeasures against such tactics. 

To see previous articles, please visit the VI Reflections Archive.

Submitted by Gregory Rigby on