Security vendor Kaspersky has warned that the use of steganography by hackers is on the rise. Steganography is an old technique where messages are hidden in images. With the rise of the digital image, it is easier than ever to hide data inside an image. This is because the majority of image formats contain a lot of space in which data can be hidden. If that data is encrypted before being hidden then it becomes even easier to prevent the data being detected.

Alexey Shulmin, security researcher at Kaspersky Lab said: “Although this is not the first time we have witnessed a malicious technique, originally used by sophisticated threat actors, find its way onto the mainstream malware landscape, the steganography case is especially important.

“So far, the security industry hasn’t found a way to reliably detect the data exfiltration conducted in this way and the goal of our investigations is to draw industry attention to the problem and enforce the development of reliable yet affordable technologies, allowing the identification of steganography in malware attacks.”

How are hackers using steganography?

Kaspersky reports that it is seeing several different uses of steganography. It has identified images containing malware seeking financial information being distributed. A bigger issue, however, is the use of steganography to obfuscate the theft of data.

For any data breach to be effective it is necessary to exfiltrate data from the enterprise. The insider attack allows data to be copied to portable devices which is often undetected. Another successful attack vector is sending large amounts of data to the printer. However, the hacker has created a redirect for the printer where the data is saved as files and then transferred to their device. This is often successful due to poor printer security and unprotected wireless access.

Other types of exfiltration require data to be sent to a command and control C&C server. IT security teams are getting better at spotting this type of attack. They are sharing more data and making better use of security intelligence data to identify the C&C servers. This allows them to block data being moved out of the enterprise. Even where data is encrypted using SSL, there are ways that allow an enterprise to spot the data being moved.

By hiding data inside images using steganography, hackers are able to send the data hidden inside images or video files. The latter is useful as they are generally large files. If the IT security team grabs the images or video they see nothing wrong. This is because the images and video display as normal. It is only by doing a detailed search of the data that makes up the files that the attack is spotted.

How real a threat is this?

That’s a good question. There are a lot of potential attacks reported by security vendors that never become serious. Part of that could be because of the warnings. However, there are so many warnings at the moment that IT security teams are beginning to ignore them.

Kaspersky says that it has seen three different cyberespionage attacks using steganography in recent months. It also reports that the technique is now being used by a wider group of cybercriminals. They are using it to get malware inside the enterprise when people click on the images. Those images are sent either in email or are hosted on social media.

A researchers view

Kaspersky researchers Alexey Shulmin and Evgeniya Krylova have published a blog looking in more detail at these attacks. They list a number of malware programmes and cyberespionage attacks using steganography including:

  • Microcin (AKA six little monkeys);
  • NetTraveler;
  • Zberp;
  • Enfal (its new loader called Zero.T);
  • Shamoon;
  • KinS;
  • ZeusVM;
  • Triton (Fibbit).

The blog also shows a number of images and how the malicious code is hidden. This is the sort of information that all security researchers should know about. The authors point out that detecting an attack using steganography isn’t necessarily difficult. Once the security analyst has access to the image they should be able to detect if it is a risk. The problem is that it requires the security analyst to have eyes on the image. Unlike other methods of attack detection, the authors say that it is hard to automate the detection of steganography-based attacks.

They do provide details of two different ways of using statistical methods of analysis to spot attacks. Both of these methods of analysis are over 15 years old. It shows that the risk from steganography has been known about for a long time. It also demonstrates how hard it can be to detect attacks.

Each image has to be analysed separately by the security analyst. In the case of a video that means each frame needs to be looked at. Depending on the video format (PAL or NTSC) each minute of video can have between 1,440 and 1,800 frames. That makes working through video a very time consuming process.

What does this mean?

As with many other attacks, hackers are not having to create new attack methods to outwit security. Instead they are reusing older techniques that are difficult to detect but very effective. Very few organisations pay much attention to the use of images in email or on their servers. Video is also being increasingly used to deliver training and marketing data and is driving some of the biggest growth in Internet traffic. Both are also highly present in social media channels and on web pages.

Should organisations be banning or restricting the use of images and video? No. Such a move would be counter productive to the business and incredibly hard to police and monitor. What is needed are better tools to begin detecting attacks. Unsurprisingly Kaspersky is using this press release and blog to promote their solution. Other vendors will have their own tools. Irrespective of whose tools are used, IT security teams need to start paying more attention to images and video.


Please enter your comment!
Please enter your name here