Steganography is a well-known concept. It involves hiding secret data inside another carrier file. In general, the carrier is usually an image, video or text file.
Unlike encryption, steganography is not very obvious to detect – one cannot judge that steganography was used just by looking at an image or video or text file. It is this property which makes it awesome to use by attackers and cyber-criminals for data exfiltration from an internal network.
In this article, I’ll be exploring a possible application of Steganography to distribute malware through traditional mediums such as email.
I’m using a malware sample that I recently acquired and analyzed –
ste.exe. Its MD5 hash is
5cd2cbf405a8ed0cbc8ffcc39c0949e0. The sample is malicious as seen on VirusTotal:
Splitting the Malware
Instead of embedding the complete malware sample in a single carrier file, it would be better to split the malware binary into multiple parts and then apply steganography. In this case, I split the malware binary into five parts. I randomly chose the number five, but in general having more pieces may be beneficial.
nikhilh@ubuntu:~/Downloads/steg$ split --number=5 ste.exe nikhilh@ubuntu:~/Downloads/steg$ ls xa* xaa xab xac xad xae
Only the first piece was marked malicious (5/72) by VirusTotal – likely because of the PE header.
Time to Steg!
I’ve installed OpenStego on my Ubuntu machine. I’m using it for hiding the malware pieces in images. It is open source and easy to use. A sample configuration to hide data is shown in the snap below.
I’ve used five carrier images to hide five pieces of malware. Each steg image is stored as a
nikhilh@ubuntu:~/Downloads/steg$ ls *bmp chrollo.bmp ging.bmp hisoka.bmp killua.bmp kurapika.bmp
None of the carrier files were marked malicious by VirusTotal after the malware pieces were embedded in them.
We’ve seen that it is possible to bypass AV software with a fair probability using Steganography as shown above. But why would an attacker use this tactic? Consider the following scenario:
You've posted on social media that you're looking to buy a house. Assuming that your social media handle is public, an attacker could view this information. They could pose as a real estate agent and send you an email with attachments - floor plan images and a word document describing their organization. These images would have separate pieces of the malware embedded in them. Say, you download these attachments for later viewing. The word document would have an embedded macro which downloads OpenStego on the victim machine, extracts individual pieces of the malware from the images, combines them into one and executes it in memory. Unlike downloader malware, the attacker does not have to rely on a C2 server to provide the second stage malware.
A sample configuration for extraction is shown in the snap below:
nikhilh@ubuntu:~/Downloads/steg$ cat xa xaa xab xac xad xae nikhilh@ubuntu:~/Downloads/steg$ cat xa* > malware nikhilh@ubuntu:~/Downloads/steg$ file malware malware: PE32 executable (GUI) Intel 80386, for MS Windows
We can see that the malware is functional after being extracted and combined.
Is the above mentioned scenario possible? Is it useful to an attacker? Please let me know in the comments!
Detecting steganography is especially difficult. An answer from StackOverflow states:
There can be no universal algorithm to detect steganography. You can implement a series of tests against every known specific steganographic system in existence. But an attacker can use that as a test to develop a new form of steganography that bypasses all existing tests.
Another answer states:
To detect Steganography it really comes down to statistical analysis
Aletheia is an open source tool for image steganalysis that uses state-of-the-art machine learning techniques. It incorporates many statistical analysis algorithms, one of which is
sample pairs analysis. The whitepaper of the concept can be found here.
To detect the steganography performed by
OpenStego, I’ll use the
sample pairs analysis technique in
Original image analysis:
nikhilh@ubuntu:~/Downloads/steg/aletheia$ ./aletheia.py spa ../hisoka.jpg Using TensorFlow backend. No hiden data found
Steg image analysis:
nikhilh@ubuntu:~/Downloads/steg/aletheia$ ./aletheia.py spa ../hisoka.bmp Using TensorFlow backend. Hiden data found in channel R 0.2843646191333121 Hiden data found in channel G 0.3022934574290977 Hiden data found in channel B 0.27226889148257266
Special Mention: Cisco Stealthwatch
Stealthwatch uses advanced security analytics to identify and mitigate threats. Using multi-layered machine learning and without decryption, Stealthwatch detects malware and data loss embedded in encrypted traffic. An industry standard only Stealthwatch provides.
Thanks for reading!
In this article, we looked at a possible application of steganography to distribute malware.
- We used
OpenStegoto hide and extract the malware.
- We were able to verify that the malware was functional after extraction and combination.
- We used
Aletheiato successfully detect steganography.
Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!
Feature image credits: https://towardsdatascience.com/steganography-hiding-an-image-inside-another-77ca66b2acb1