How to Defend Against Stegomalware

Published on October 1, 2024

“Stegomalware” is a term that is relatively unknown, but like it’s first cousin it the stegosaurus, whose armored exterior containing kite-shaped plates along its back and spikes on its tail helps ward off predators–or in this case, bad actors. 

To explain, steganography is becoming a more widely used email attack vector within malware that hides malicious code in the pixels of an image by encoding information into the actual color information of the image. In other words, it's a semi-low-tech, yet innovative way of sneaking in a nefarious attack that is imperceptible to the human eye, and thus, it works.

In an interview with Dr. Steve Jeffery, Lead Solutions Engineer (UK) of Fortra’s Clearswift, we asked what it takes to defend against this hidden-in-plain-sight threat, as well as other commonly asked questions about stegomalware that are answered here.

Method 1: Stopping malicious clicks

To know how to defend against stegomalware – in its many forms – we first need to understand what those forms are. The first one? A multi-stage attack.

The Problem

It’s crucial to your understaning that steganography takes place in two parts:

  1. The malicious code is hidden within an image, attached file, etc.
  2. What triggers it to execute.

Dr. Jeffery explains, “There are generally two steps to this. There's the payload being removed from the steganography, but there's also a program they embed called a loader. That program is what's going to make that payload run.”

He notes that often, the loaders will escape detection because they look innocent; after all, they’re not malware in and of themselves. Because the method of extracting the malware from the image alone makes it simple for it to slip into an organization's email infrastructure. That's understandable, but then how does the malicious part get in?

The Scenario

Commonly, attackers send a malware binary (e.g., a malicious executable like viruses, worms, and Trojans) via email, and those typically get blocked by email security tools (next-generation or not). However, in the case of stegomalware, they come via a Word document with macros embedded, and those have a higher chance of getting a passing score and entering undetected. Organizations roll the dice because those aren’t explicitly bad and threat actors bank on the fact that users still have to accept it on their end for it to run.

However, as Jeffery explains, “Humans like to click on that yes button, so it's quite easy to manipulate someone into pressing it. I've seen all sorts of lures on that such as, ‘If you can't read this document, it's because you haven't downloaded the right font pack. Press accept!’ And then the document will be in Wingdings font or something.”

The Solution

One way to combat compulsive “trigger finger “ is with consistent and solid Security Awareness Training (SAT), which teaches users to recognize those ploys (and many others), resulting in them staying away.

Another is a sandboxing tool or an advanced email security solution that can sanitize code within documents, per Jeffery’s suggestion. That way, even if (or when) your employees click a malicious link, the payload will detonate in a safe place and your network will be spared. 

Method 2: Blocking the stegomalware itself

The first method of defense dealt with accepting the fact that the malware would enter and make the fallout as nonexistent as possible. The second method will hit the malware head-on by dealing with the steganography itself.

Jeffery reveals why steganographic malware is so hard to detect, noting that, “Because you don't know how it was encoded into the pixels in the first place, you can't reverse the process and see the data.” For this reason, even advanced email security solutions can’t directly do it.

However, as he states on behalf of Fortra’s Clearswift, “With steganography, it does it in a way that is undetectable to the human eye. However, we've got a mechanism which will disrupt it.“ He continues, “If you use Clearswift's Secure Email Gateway, it has an anti-steganography feature. If you tick it, it will change every image that goes through the appliance.”

“This technique just makes subtle changes to the image to destroy the integrity of any hidden data, making it effectively unreadable,” Jeffery explains. “So, by combining those two defenses–the sandboxing/sanitization and the anti-steganography features–you're really giving yourself the best armor to defend yourself against these kinds of surreptitious attacks.”

Staying strong against steganographic malware

So, the key is shoring up the security of your email environment to stay strong against steganographic malware. And these solutions are only the beginning. If you want to hear more about stegomalware making its way into your network - and how to recognize the risks – watch Dr. Jeffery's on-demand webinar, “Is Malware Using Steganography on Your Network?”, and you’ll discover:

  • How steganography exploits images;
  • How malware leverages steganography;
  • How steganography bypasses security controls;
  • How to protect your network;
  • And more.

Attackers are getting sneakier, stealthier, and just plain better at what they do. But you can keep up with them by leveraging Fortra’s line of powerful, advanced email security solutions. Threat actors might be clever, but we’re clever too. Learn more about Clearswift and how it can help your organization keep out bad actors who are gunning for your inbox!

Related Products
DMARC Protection Cloud Email Protection Secure Email Gateway Secure Exchange Gateway Secure Web Gateway
Related Solutions
Anti-Phishing Offerings Anti-Phishing Cloud Email Security DMARC Email Authentication Email Data Loss Prevention Email Security Data Security