A couple of decades ago, in another life, I wrote a little script which would capture keystrokes and then store that data within the 'white space' of an image file. It was pretty crude, but it was also twenty years ago and to be honest nobody was really looking for stuff which was effectively hidden in plain sight that way. That way being the use of something called steganography, from the Greek steganos which means covered and graphie which means writing; so literally covered writing. I used it to good effect during my period as an explorer of networks belonging to other people, most notably when sysadmins would stay at my apartment and login to their networks in order to do a bit of housekeeping and, unknown to them at the time, give me root. Things have moved on a lot since then, and steganography has become a much more complex tool being deployed by cybercriminals.
Back in March this year I reported for SC Magazine on how a variant of the Vawtrak malware family had been using steganography to hide update files in tiny 4Kb encrypted favicon graphics, these in turn being distributed using the Tor network via a proxy. Fast forward to now and the Dell SecureWorks Threat Intelligence Unit has revealed how it has tracked one such malware tool, Stegoloader, which appears top have been active since 2012 and uses digital steganography to avoid detection. Stegoloader requires a core component of the malware to be hidden within a graphic, in this case a portable network graphic (PNG) format image file which is hosted on a perfectly legitimate and innocent site that is extracted when the malware executes.
Dell SecureWorks researchers explain in more detail that "the image's URL is hard-coded in the binary. After downloading the image, Stegoloader uses the gdiplus library to decompress the image, access each pixel, and extract the least significant bit from the color of each pixel. The extracted data stream is decrypted using the RC4 algorithm and a hard-coded key. Neither the PNG image nor the decrypted code is saved to disk, making the malware difficult to find via traditional disk-based signature analysis. The image's URL and the RC4 key vary in the samples analyzed by CTU researchers."
Szilard Stange, director of San Francisco based secure digital data flow specialists OPSWAT says "malware authors are always looking for new distribution mechanism to make detection harder, however modern internet security desktop suites contain methods to detect unusual network operations even when the remote site is a well known site. They are also able to track what the running processes exactly does. It means that detection of malware like Stegoloader can be harder but not impossible. There are many ways to deliver harmful content including this steganography based one but there are other interesting way to distribute harmful code like embedded data into DNS queries and responses. Any of them can be in main-stream but it mainly depends how anti-malware vendors can react to these attacks. To protect an organization against attacks like this one it is worth to consider applying data sanitization techniques to remove any harmful content from images downloaded from the internet without losing important data."
Meanwhile, Martin Lee, intelligence manager with Houston based cloud security compliance specialist Alert Logic, warns "we are currently in an arms race between malware writers and the security industry. As security researchers become more adept in discovering malware, so malware writers must become more inventive in hiding their malware. In many ways, seeing malware writers deploying inventive strategies to disguise and hide their malware is proof that security solutions are making it difficult for malware to persist and that we are forcing malware writers to innovate. Even if this malware is hiding itself on the end point, the command and control traffic is still visible on the network. Monitoring for traffic to known command and control servers or anomalous traffic remains an excellent technique for identifying the presence of malware, even if identifying and reverse engineering the malware becomes more difficult."
