Steganography is a well-known concept. It involves hiding secret data inside another carrier file. In general, the carrier is usually an image, video or text file.
Unlike encryption, steganography is not very obvious to detect — one cannot judge that steganography was used just by looking at an image or video or text file. It is this property which makes it awesome to use by attackers and cyber-criminals for data exfiltration from an internal network.
In this article, I’ll be exploring a possible application of Steganography to distribute malware through traditional mediums such as email.
Malware Sample
I’m using a malware sample that I recently acquired and analyzed — ste.exe. The threat intel analysis can be found here. The sample is malicious as seen on VirusTotal:
Splitting the Malware
Instead of embedding the complete malware sample in a single carrier file, it would be better to split the malware binary into multiple parts and then apply steganography. In this case, I split the malware binary into five parts. I randomly chose the number five, but in general having more pieces is beneficial.
nikhilh@ubuntu:~/Downloads/steg$ split --number=5 ste.exenikhilh@ubuntu:~/Downloads/steg$ ls xa*
xaa xab xac xad xae
Only the first piece was marked malicious (5/72) by VirusTotal — likely because of the PE header.
[gallery ids=”855,856,857,858,859" type=”square” link=”file”]
Time to Steg!
I’ve already installed OpenStego on my Ubuntu machine. It is the application that I’ve used for steganography. It is open source and easy to use.
A sample configuration to hide data is shown in the snap below.
I’ve used five carrier images to hide five pieces of malware. Each steg image is stored as a .bmp file.
nikhilh@ubuntu:~/Downloads/steg$ ls *bmp
chrollo.bmp ging.bmp hisoka.bmp killua.bmp kurapika.bmpNone of these steg files were marked malicious by VirusTotal.
[gallery ids=”861,862,863,864,865" type=”square” link=”file”]
Attacker Tactic
We’ve seen that it is possible to bypass AV software with a fair probability using Steganography as shown above. But why would an attacker use this tactic? Consider the following scenario:
You've posted on social media that you're looking to buy a house. Assuming that your social media handle is public, an attacker could view this information. They could pose as a real estate agent and send you an email with attachments - floor plan images and a word document describing their organization. These images would have separate pieces of the malware embedded in them. Say, you download these attachments for later viewing. The word document would have an embedded macro which downloads OpenStego on the victim machine, extracts individual pieces of the malware from the images, combines them into one and executes it in memory. Unlike downloader malware, the attacker does not have to rely on a C2 server to provide the second stage malware.A sample configuration for extraction is shown in the snap below:
nikhilh@ubuntu:~/Downloads/steg$ cat xa
xaa xab xac xad xaenikhilh@ubuntu:~/Downloads/steg$ cat xa* > malwarenikhilh@ubuntu:~/Downloads/steg$ file malware
malware: PE32 executable (GUI) Intel 80386, for MS Windows
We can see that the malware is functional after being extracted and combined.
Is the above mentioned scenario probable? Is it useful to an attacker? Please let me know in the comments!
Detecting Steganography
Detecting steganography is especially difficult. An answer from StackOverflow states:
There can be no universal algorithm to detect steganography.You can implement a series of tests against every known specific steganographic system in existence. But an attacker can use that as a test to develop a new form of steganography that bypasses all existing tests.
Another answer states:
To detect Steganography it really comes down to statistical analysisAletheia
Aletheia is an open source tool for image steganalysis that uses state-of-the-art machine learning techniques. It incorporates many statistical analysis algorithms, one of which is sample pairs analysis. The whitepaper of the concept can be found here.
To detect the steganography performed by OpenStego, I’ll use the sample pairs analysis technique in Aletheia.
Original image analysis:
nikhilh@ubuntu:~/Downloads/steg/aletheia$ ./aletheia.py spa ../hisoka.jpg
Using TensorFlow backend.
No hiden data foundSteg image analysis:
nikhilh@ubuntu:~/Downloads/steg/aletheia$ ./aletheia.py spa ../hisoka.bmp
Using TensorFlow backend.
Hiden data found in channel R 0.2843646191333121
Hiden data found in channel G 0.3022934574290977
Hiden data found in channel B 0.27226889148257266Special Mention: Cisco Stealthwatch
While I don’t have the software resources to understand Cisco Stealthwatch, it certainly seems interesting. It is based on NetFlow technology and probably is a mighty contender to detect steganography inline. According to the introductory video, Stealthwatch in 2 minutes,
Stealthwatch uses advanced security analytics to identify and mitigate threats. Using multi-layered machine learning and without decryption, Stealthwatch detects malware and data loss embedded in encrypted traffic. An industry standard only Stealthwatch provides.Thanks for reading!
In this article, we looked at a possible application of steganography to distribute malware.
- We used OpenStego to hide and extract the malware.
- We were able to verify that the malware was functional after extraction and combination.
- We used Aletheia to successfully detect steganography.
Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!
P.S. I also write on my blog https://0x90sploiter.wordpress.com.
Feature image credits: https://towardsdatascience.com/steganography-hiding-an-image-inside-another-77ca66b2acb1
