Secret messages. . .invisible ink. . .clandestine codes in a photograph. It all sounds like the stuff of Sherlock Holmes or “Mission Impossible”, but these tactics – and their progenitors – are finding their way into the malicious exploits used in the email attacks of today.
It’s called steganographic malware, or stegomalware for short. And at a time when employees are taking security awareness training classes to catch the latest spoofs, which email security solutions are expected to catch every errant piece of network traffic (and then some), stegomalware is defying them all.
Here’s how.
What is Stegomalware?
The term was reportedly introduced in 2014 in the context of mobile exploits by researchers at the Inscypt conference in Beijing and has been a studied part of the threat landscape ever since.
Steganography is a word that broadly describes a host of tactics used to hide data in plain sight. Its goal is to make data invisible – which, in turn, is handy for attackers looking to do the same thing. Stegomalware, therefore, is a method of hiding malicious code within innocuous files like images so that the viewer or scanner only sees what the attacker wants them to see – a picture.
How Does Stegomalware Work?
Classic obfuscation techniques try to scramble malicious code, making it unreadable or unrecognizable to prying security solutions. Much of the time, this works. Reordered instructions, renamed packages, and added junk code can all help exploits evade detection.
But stegomalware is bold, in a way that holds its shape and hides in plain sight–well, plain enough. Most commonly, an image file is selected as the carrier for steganographic malware, and there are several ways to do this:
- The easy way: A malicious string of data is added directly onto the end of an image file. The image still displays, but it’s bearing a deadly payload. Even an entire file could be attached this way using the RAR archive format. This method bloats the file size and changes the hash, making it easier to detect.
- The binary alteration method: A more effective way for attackers to pull off stegomalware is to get down to the pixels and alter the data from there. To modify the code of the image at the binary level, one must change the least significant bits (LSBs) of each pixel. A color pixel is comprised of three bytes (red, green, and blue/RGB), and the last for LSBs doesn’t alter the picture much. However, these last four least significant bits are co-opted to contain malicious code, and then a program is constructed to read them from there.
Dr. Steve Jeffery, Lead Solutions Engineer (UK) of Fortra’s Clearswift notes, “It’s going to change the color by such a tiny amount that no one’s going to notice a 1/65000th (i.e., 1 in 65,000) change in color. In fact, you won’t see anything different when you look at it.” And there lies the inherent danger.
What Does Stegomalware Do?
At the end of the day, stegomalware aims to hide [malicious] information for the primary purpose of launching devastating attacks, and in a number of different ways, it does. It can:
- Enable processes to exchange data (ostensibly for nefarious purposes), even if it is contained in separate entities (like CPU cores, containers, and sandboxes).
- Create covert channels for exfiltrating data, get around intrusion detection systems and traffic policies, and exchange malicious C2 commands.
- Pick up additional executables to reduce the threat footprint, making the attack reconstruction more complex and managing to escape antivirus solutions.
And the obvious one: It hides bad code in good places. This method includes malicious libraries, scripts, and configuration files, and their hiding places are invariably innocuous. This helps attackers skirt around content-filtering rules, detection engines, and even well-trained eagle eyes.
Where Can You Find Stegomalware?
That is the question, isn’t it? Jokes aside, stegomalware popularly hides in targeted phishing campaigns. These can appear in inboxes, via a pinged message, on a social networking platform, or in a text. And in each of these realms, it can come in all forms.
While popular, images certainly don’t have a monopoly on this type of exploit. Stegomalware extends across the broad art of information hiding and, as such, encompasses various other vehicles like videos, messages, and files.
As Dr. Jeffery states, “You can hide it in anything.” And the worst part is when those infected files appear and get scanned, they appear as sound files. Thus, without the proper defense, stegomalware is a silent killer.
This defense is crucial because, as Jeffery notes, “[Once] you know that data’s in there, you can reverse the process, read those specific bits back out, and reconstitute the data.”
Steering Clear of Stegomalware
Unfortunately, there’s no surefire way to stay out of harm’s way on this one. Because of its sheer stealth factor, it may find its way into many networks. But, once it starts to detonate its malicious payload, those actions can be caught and undone. So a robust AI-based solution that spots anomalies – like Fortra’s Cloud Email Protection, Digital Guardian’s Endpoint Detection & Response (EDR) and, when you’re ready to make the next move, Fortra's XDR (Extended) platform – are great places to start. Our next blog is a good place to continue–How to Defend Against Stegomalware.
