In a potentially worrisome trend for enterprises, threat actors have increasingly begun using the ancient technique of steganography to conceal data theft and other malicious activity on compromised systems.
Steganography is a term that describes the practice of hiding secret text messages and other content inside other non-secret messages — like innocuous-looking blocks of text or images.
Security researchers at Kaspersky Lab this week said they have come across at least three major cyberespionage campaigns in the past few months where threat actors have used steganography to hide stolen data and to communicate with command and control servers.
In these campaigns, threat actors have exfiltrated data from victim organizations by hiding it inside the code of seemingly ordinary image or video files and sending it to C&C servers. The modifications to the images or video files are so minute that they usually have gone unnoticed and typical endpoint antimalware tools and APT tools are not designed to look for or spot data exfiltration that takes place this way.
In addition to APT campaigns, there have been several instances recently where ordinary cybercriminals have used the technique in conjunction with malware tools, such as the Zeus banking Trojan and the Shamoon disk-erasing malware. The latter trend in particular suggests that malware writers are on the verge of adopting steganography on a mass scale, Kaspersky Lab researchers said in a blog this week.
"Most modern anti-malware solutions provide little, if any, protection from steganography," said Kaspersky Lab security researchers Alexey Shulmin, Evgeniya Krylova. As a result, any "carrier" such as a digital image or a video file that can be used to conceal stolen data, or communications between a malware program and a command and control server, poses a potential threat, they said.
Krylova told Dark Reading that organizations need to pay attention to the trend.
"Although steganography was used in ancient centuries, it is still actively used today by different malware authors and APT actors," she says. "This trend has been increasing over the last several years, even though it can be detected by different security suites, using mathematical and statistical methods."
Stegcontainers — or the object in which the payload is concealed - can take multiple forms, Krylova says. For instance, Kaspersky Lab has observed threat actors using audio files, text files, and even domain names, to hide data and C&C communications.
"But the primary concern is images," she notes. In most cases, the main payload that is being concealed within these images are conversations with the command and control server, commands received from the C&C and stolen files, she says.
The only one limitation on what threat actors can or cannot hide using steganography is the size of the container, Krylova says. "This is because you won’t be able to hide a lot of information in a container without visual distortion.”