Visible to the public SoS Musings #23 - Unveiling Steganographic CyberattacksConflict Detection Enabled

SoS Musings #23

Unveiling Steganographic Cyberattacks

Steganography is a method that can be used by hackers to deliver malware in a secretive manner. The concept behind steganography is to communicate data covertly via a format that conceals the sending of that data. The technique that is steganography differs from cryptography in that the communication of data is concealed, not just the data itself. Steganography is applied by hackers when they hide malicious data or malware in or by way of image files, video clips, audio files, and other unsuspecting mediums. This is an attractive method to hackers because most users would not suspect that such objects would launch attacks upon being opened. As there are many ways in which steganography can be performed by hackers, most modern anti-malware solutions are still incapable of fully protecting against this type of attack and this calls for the development of other defensive strategies.

There is a number of different ways in which steganography can be performed by hackers. According to a CUIng team of experts, the goals of cybercriminals in the use steganography are to search for, examine, and access targets as well as circumvent detection and cover their tracks of malicious activity. During the different stages of an attack, steganography can be applied through the use of information-hiding techniques, including anonymization, traffic-type obfuscation, code obfuscation, and more. Information that can be hidden by using steganography, includes the identities cybercriminals, communication between attackers, content, and malicious code. Older notable examples of malware in which steganography was used, include AdGholas, FAKEM, Vawtrack, Stegano, and RedBaldKnight. AdGholas was a 2015 malvertising campaign in which encrypted malicious JavaScript code was hidden in images displayed by rogue ads, infecting thousands of computers and making it difficult for security firms to detect the impacted sites and ad networks. FAKEM also known as a family of Remote Access Trojans (RATs) avoided being detected by mimicking legitimate network traffic such as that of the now discontinued Yahoo! Messenger. Vawtrack is another malware that applied the technique of steganography by hiding its updated files in Favicons, which are small icons used to represent a website that appears in the address bar of a web browser. In 2016, an exploit kit, called Stegano, allowed malicious JavaScript code to be hidden in the pixels of banner ads for products, named "Browser Defence" and "Broxu". Such incidents highlight how the performance of steganography is versatile.

Attacks in which steganography is weaponized by hackers continue as indicated by recent reports. A malvertiser targeting Apple users, called VeryMal, was recently reported by Confiant and Malwarebytes to be distributing malicious Javascript code via images contained by online banner ads, allowing the code to bypass security filters. Once the VeryMal payload is executed, victims are redirected to sites where they are tricked into downloading fake Adobe Flash updates containing a strain of Mac malware, called Shlayer. Matthew Rowan, a researcher at Bromium recently discovered a malware campaign targeting Italian users in which an image of Super Mario is used to conceal malicious code that leads to the launch of the Ursnif banking Trojan. A new type of malware makes use of memes posted on Twitter to hide the communication of attackers with malware. According to security researchers at Trend Micro, two memes posted on Twitter were found to be malicious as they were embedded with commands that would be used to instruct malware to perform activities such as capture screenshots of a victim's infected computer, gather system information, capture clipboard content and more. Steganographic attacks are expected to rise in frequency and sophistication.

Research and development in the study of digital steganalysis must continue in order to combat steganographic threats and attacks. Steganalysis is the study or process of detecting information that has been concealed using steganography. Research was conducted at Ben-Gurion University of the Negev (BGU) towards preventing the use of internet videos and images to execute cyberattacks. Through this research, a series of algorithms have been developed to prevent the infiltration and extraction of information via videos and images, thus helping to combat the use of steganography by attackers. In addition, as a result of the growing use of steganography by hackers, the Criminal Use of Information Hiding (CUIng) Initiative has been established, which gathers experts and researchers in academia, industry, law enforcement agencies, and institutions, to address the problem of malicious use of steganography by cybercriminals. It is important to continue raising awareness and increasing the sharing of intelligence about steganography for the advancement of defense methods as more cybercriminals utilize this technique.