Researchers find multiple hacking groups are increasingly using the technique to hide stolen information inside images.
Researchers at the security firm Kaspersky Lab have identified a new, worrying trend: malicious hackers are increasingly using steganography, a digital version of an ancient technique of hiding messages inside images, to conceal the tracks of their malicious activity on an attacked computer. A number of malware operations aimed at cyberespionage, and several examples of malware created to steal financial information have recently been caught utilizing this technique.
In a typical targeted cyberattack, a threat actor — once inside the attacked network — establishes a foothold and then collects valuable information to subsequently transfer to the command and control server (C&C). In most cases, proven security solutions or professional security analytics are able to identify the presence of the threat actor in the network at each stage of an attack, including the exfiltration stage. This is because the exfiltration part usually leaves tracks, for example logged connections to an unknown or blacklisted IP address; however, when it comes to attacks where steganography is used, the detection of data exfiltration becomes a difficult task.
In this scenario, malicious users insert the information to be stolen right inside the code of a trivial visual image or video file which is then sent to the C&C. It is therefore unlikely that such an event would trigger any security alarms or data protection technology. This is because after modification by the attacker, the image itself would not be changed visually and its size and most other parameters would also not be altered, therefore not raising any cause for concern. This makes steganography a lucrative technique for malicious actors when it comes to choosing the way to exfiltrate data from an attacked network.
In recent months, Kaspersky Lab researchers have witnessed at least three cyberespionage operations utilizing this technique. More worryingly, the technique is also being actively adopted by regular cybercriminals – in addition to cyberespionage actors. Kaspersky Lab researchers have seen it used in updated version of Trojans including, Zerp, ZeusVM, Kins, Triton and others. Most of these malware families are generally targeting financial organizations and users of financial services. The latter could be a sign of the upcoming mass adoption of the technique by malware authors and – as an outcome – generally increased complexity of malware detection.
“Although this is not the first time we have witnessed a malicious technique, originally used by sophisticated threat actors, find its way onto the mainstream malware landscape, the steganography case is especially important,” said Alexey Shulmin, security researcher at Kaspersky Lab. “So far, the security industry hasn’t found a way to reliably detect the data exfiltration conducted in this way and the goal of our investigations is to draw industry attention to the problem and enforce the development of reliable yet affordable technologies, allowing the identification of steganography in malware attacks.”