Using Steganography to Distribute Malware?

Posted by

Steganography is a well-known concept. It involves hiding secret data inside another carrier file. In general, the carrier is usually an image, video or text file.

Unlike encryption, steganography is not very obvious to detect – one cannot judge that steganography was used just by looking at an image or video or text file. It is this property which makes it awesome to use by attackers and cyber-criminals for data exfiltration from an internal network.

In this article, I’ll be exploring a possible application of Steganography to distribute malware through traditional mediums such as email.

Malware Sample

I’m using a malware sample that I recently acquired and analyzed – ste.exe. Its MD5 hash is 5cd2cbf405a8ed0cbc8ffcc39c0949e0. The sample is malicious as seen on VirusTotal:


Splitting the Malware

Instead of embedding the complete malware sample in a single carrier file, it would be better to split the malware binary into multiple parts and then apply steganography. In this case, I split the malware binary into five parts. I randomly chose the number five, but in general having more pieces may be beneficial.

nikhilh@ubuntu:~/Downloads/steg$ split --number=5 ste.exe

nikhilh@ubuntu:~/Downloads/steg$ ls xa*
xaa xab xac xad xae

Only the first piece was marked malicious (5/72) by VirusTotal – likely because of the PE header.


Time to Steg!

I’ve installed OpenStego on my Ubuntu machine. I’m using it for hiding the malware pieces in images. It is open source and easy to use. A sample configuration to hide data is shown in the snap below.


I’ve used five carrier images to hide five pieces of malware. Each steg image is stored as a .bmp file.

nikhilh@ubuntu:~/Downloads/steg$ ls *bmp
chrollo.bmp ging.bmp hisoka.bmp killua.bmp kurapika.bmp

None of the carrier files were marked malicious by VirusTotal after the malware pieces were embedded in them.


Attacker Tactic

We’ve seen that it is possible to bypass AV software with a fair probability using Steganography as shown above. But why would an attacker use this tactic? Consider the following scenario:

You've posted on social media that you're looking to buy a house. Assuming that your social media handle is public, an attacker could view this information. They could pose as a real estate agent and send you an email with attachments - floor plan images and a word document describing their organization. These images would have separate pieces of the malware embedded in them. Say, you download these attachments for later viewing. The word document would have an embedded macro which downloads OpenStego on the victim machine, extracts individual pieces of the malware from the images, combines them into one and executes it in memory. Unlike downloader malware, the attacker does not have to rely on a C2 server to provide the second stage malware.

A sample configuration for extraction is shown in the snap below:

nikhilh@ubuntu:~/Downloads/steg$ cat xa
xaa xab xac xad xae

nikhilh@ubuntu:~/Downloads/steg$ cat xa* > malware

nikhilh@ubuntu:~/Downloads/steg$ file malware
malware: PE32 executable (GUI) Intel 80386, for MS Windows

We can see that the malware is functional after being extracted and combined.

Is the above mentioned scenario possible? Is it useful to an attacker? Please let me know in the comments!

Detecting Steganography

Detecting steganography is especially difficult. An answer from StackOverflow states:

There can be no universal algorithm to detect steganography.

You can implement a series of tests against every known specific steganographic system in existence. But an attacker can use that as a test to develop a new form of steganography that bypasses all existing tests.

Another answer states:

To detect Steganography it really comes down to statistical analysis


Aletheia is an open source tool for image steganalysis that uses state-of-the-art machine learning techniques. It incorporates many statistical analysis algorithms, one of which is sample pairs analysis. The whitepaper of the concept can be found here.

To detect the steganography performed by OpenStego, I’ll use the sample pairs analysis technique in Aletheia.

Original image analysis:

nikhilh@ubuntu:~/Downloads/steg/aletheia$ ./ spa ../hisoka.jpg
Using TensorFlow backend.
No hiden data found

Steg image analysis:

nikhilh@ubuntu:~/Downloads/steg/aletheia$ ./ spa ../hisoka.bmp
Using TensorFlow backend.
Hiden data found in channel R 0.2843646191333121
Hiden data found in channel G 0.3022934574290977
Hiden data found in channel B 0.27226889148257266

Special Mention: Cisco Stealthwatch

It is based on NetFlow technology and probably is a mighty contender to detect steganography inline. According to the introductory video, Stealthwatch in 2 minutes:

Stealthwatch uses advanced security analytics to identify and mitigate threats. Using multi-layered machine learning and without decryption, Stealthwatch detects malware and data loss embedded in encrypted traffic. An industry standard only Stealthwatch provides.

Thanks for reading!

In this article, we looked at a possible application of steganography to distribute malware.

  1. We used OpenStego to hide and extract the malware.
  2. We were able to verify that the malware was functional after extraction and combination.
  3. We used Aletheia to successfully detect steganography.

Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!

Feature image credits:


  1. I think this is one of the so much significant info for me.
    And i am glad studying your article. But wanna remark on some normal
    things, The web site style is perfect, the articles is actually great : D.
    Good process, cheers

Leave a Reply

Your email address will not be published.