How to Prevent Steganography Attacks
Steganography is an antique soft craft concealing information in paintings or different art products. Most artists use this technique to hide their signatures and additional concealed messages within their artworks.
Origin of the Word “Steganography”
Even rulers utilized this data hiding method to transmit private messages to their warriors in wars. The word ‘Steganography’ originates from the Greek language, and it is a combination of Stefanos, implying ‘concealed’ and Graphein, meaning ‘writing.’
How do These Attacks Work?
Threat actors leverage the steganography method as an attack tool to conceal malicious codes (usually JavaScripts) and malware within the files, then distribute them to victims. When the target opens the file, the malicious codes embedded in the file automatically run and infect the system. According to the victim profile, the cybercriminals employ different kinds of steganography attacks:
- Image Steganography
- Text Steganography
- Video Steganography
- Audio Steganography
- Diverse steganography, including other files can attract the target
Popular Incidents
From dark web vendors to ransomware groups, various threat actors have used this technique to hide data. One of the first effective malware was Duqu, uncovered in 2011. Its creators encrypted data and implanted it into a JPEG image file. In the last years, state-sponsored threat groups such as OceanLotus, Platinum, and Vixen Panda relied on steganography for cloaking encrypted payloads or preserving on-system continuance.
Moreover, RedBaldKnight constructed instruments that can build, embed, and hide executable codes. Pirate Panda concealed its backdoor patterns, bypassing anti-malware and network perimeter detection.
Ransomware groups have also discovered that employing steganography could enable them to carry out their attacks. For example, Cerber and SyncCrypt cloaked different pieces of their code in multiple images, and TeslaCrypt contained HTML comment tags in a 404 error page that appeared like a simple error page. Stegoloader also encrypted web pages’ links and masked them with a white BMP file conveying a second payload.
In crypto-mining attacks, threat actors have also used the steganography strategy. For instance, a security firm uncovered an attack campaign infecting the Docker platform. This hacker implanted a binary ELF into an image file to evade detection by numerous anti-malware products.
Protection Against Steganography Attacks
It is considerably more effortless to use the steganography method than other attack vectors. Defending against this technique is extensively more complex since cybercriminals are becoming more creative and innovative.
Organizations should adopt modern endpoint security systems that could outstrip the basic protection methods like static checks, signatures as code masked in images, and other forms of obfuscation that are more probable to be noticed dynamically by a behavioral system.
Suppose the size of an image file is enormous in an unusual manner. In that case, it may hint that the image includes steganography. Also, because encryption and obfuscation are more effortless to catch at the endpoints, corporations should try to make detections at these parts of their systems. Companies should train employees about image files that can shelter malicious code, have internet filtering for secure browsing, and remain up to date with the latest protection patches.
A reliable host-based anti-malware solution will identify actions based on the decrypted commands. It discovers concealed malicious code and their loaders provided with these procedures using heuristic, behavioral, machine learning, and other methods. Also, network tracking may help support the identification of new steganographically delivered malicious code or outbound stolen information.
Discover SOCRadar® Free Edition
With SOCRadar® Free Edition, you’ll be able to:
- Discover your unknown hacker-exposed assets
- Check if your IP addresses tagged as malicious
- Monitor your domain name on hacked websites and phishing databases
- Get notified when a critical zero-day vulnerability is disclosed
Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.
Get free access.