The Rise of Stegware

Written by

Stegware seems to be the newest gimmick for cyber-criminals. Using Steganography - the practice of hiding malicious code within an image, video, or otherwise innocuous file - hackers have found yet another way to get malware past security tools.
Steganography itself is an ancient discipline - its early use has been documented as far back as 440 BC when a Greek ruler sent a warning to his allies, shaved into the head of one of his slaves. But now, cyber-criminals have seized it as a way to stealthily attack their targets.
By hiding malicious code in file types that aren’t analyzed by standard, structured data-oriented security tools, attacks can avoid the notice of traditional anti-malware and gateway analysis systems. This method of concealment is invisible to the human eye, but software can read it.

This allows an attacker to inject a seemingly benign picture or sound file into a target’s computer and activate once they’re past their target’s defenses. 
Most recently, the OceanLotus group has been spotted using .png image files to conceal Denes and Remy backdoor loaders. Another campaign has spread PowLoad malware using steganography to launch fileless attacks. The Cardinal RAT has also been seen scurrying into networks embedded in Bitmap images.
Steganography has reached a peak in recent months, with a number of actors exhibiting a variety of different tactics. In many cases, attackers will hide code in picture files, concealing their code within the pixels of an image. Social media has also been notably used as command and control for Stegware, with images and tweets sending commands which activate the malware on an infected device.
In other cases, steganography has been used to exfiltrate data. The most notable case in recent memory is that Xiaoqing Zheng, a Chinese American engineer who stole industrial secrets from his employer, General Electric, and smuggled them into his personal email account hidden in binary code of an image of a sunset. Software that protects from such data leaks is often incapable of spotting the getaway because much like malware analysis tools, they are unable to read the data being stolen.
Steganography might be a new tactic for most cyber-criminals, but it’s still a small part of their much larger strategy that relies heavily on stealth. The better they can outwit perimeter security, the more effectively they can get to an enterprise’s critical data and systems.
Of course, the real key here for enterprises isn't a renewed focus on endpoint and gateway detection features; it’s a change in mindset. In many ways, we are still wedded to the fortress mindset of security, which states that if your walls are high enough you can face down any threat. That may have been true once, but in the long years since that mindset made sense, cyber-criminals have been busily making trebuchets, grappling hooks, invisibility cloaks, and guard disguises to get inside the fortress.  

Steganography is just one technique. Many newer techniques piggyback on legitimate traffic and applications to ride inside. For example, anti-virus engines rely heavily on the detection of malware in files through blacklists and signatures. A match means the AV engine then blocks the file from download, installation, or execution.

Newer fileless attacks, which made up 35% of all attacks last year according to the Ponemon Institute, avoid that detection technique entirely. Powerware for example, uses legitimate Microsoft programming languages and runs entirely in memory, never creating suspicious files and appearing as though it’s merely a normal function within their host victim. 
Attackers will also often use double extensions to hide their intentions and outwit security defenses. When a user decides to download a phishing attachment labelled updatedaccountlist.exe.png, Windows will only assess the “.png” part of the file. It ignores the preceding “.exe” executable, which launches the malware.

Businesses and browsers that use encryption give them more disguise options. Attackers are implementing many of the attack stages by tunneling within approved business traffic. It’s not just tunneling inside -- it’s communicating back to command and control, moving around inside, and carrying the treasure outside.  
With such determined adversaries, the modern security model must assume the attacker will penetrate the castle. This is the longstanding idea of defense in depth. When the first line fails, the second and third lines stand ready for action. Enterprises have to enable proactive visibility, detection, and response throughout the fortress, including the castles in the cloud. Technically, that means visibility that goes beyond inspecting the north-south corridor of traffic (traffic coming in and out) to monitor the internal, east-west corridor, too.

Modern forms of searchlights and patrols are privileged account, device, and application monitoring, where unusual behavior and other activities receive prompt and targeted attention from the security operations team. In addition, encrypted traffic analysis lights up attempts to hide within standard approved business activities.  

This full spectrum of visibility and detection will allow you to spot the later stages of an attack. By capturing the evidence as it happens, you can also respond the right way, right away, perhaps avoiding the coup de grace where all the real damage to data and systems is done. 
The attackers - whether you know it or not - have already made it past the walls and they’re maneuvering via those dark corners where most enterprises don’t look. Stegware is merely the newest stage in a long term development - attacks getting quieter and ever more creative at slinking past the solutions we think protect us.

What’s hot on Infosecurity Magazine?