There’s no denying the importance of communication. Businesses cannot function without the proper means of communication, such as phone calls, faxes, emails, text messages, and more. However, not all forms of communication are secure, meaning the information transferred by them doesn’t always stay confidential. This is where steganography comes into play.
What is steganography?
Steganography is the practice of concealing a message within another message. Unlike cryptography, where the message is in an encrypted pattern, steganographic messages are hidden in plain sight. More recently, cybercriminals have been using steganography to deploy sophisticated attacks. Steganography can be practiced within an image or any anonymous software available on the web.
Steganographic payload images
Most of us are familiar with memes—often an image with a caption—but did you know some memes can contain hidden commands to malware that could compromise your devices? Unfortunately, they can and do.
Researchers at Trend Micro have identified a recent piece of malware that responds to executable commands imbedded in a meme posted on Twitter. So does this mean you’ll be infected with malware every time you view an image on Twitter? No, because this particular steganographic image can only affect devices already infected with the right malware.
Steganographic images are imbedded with instructions from anonymous command and control servers. When a malware-infected device views a steganographic image, the malware on this device will respond to the executable commands imbedded in the image, often using a seemingly harmless command (in this case, the /print command) that sends screenshots back to cybercriminals. Other similar commands can retrieve a list of running processes, capture clipboard content, and retrieve usernames and filenames from infected devices.
Security solutions are constantly being updated with lists of malicious IP addresses and snippets of code used in malware. This, however, is a reactive process—hackers are always trying out new attack vectors. That’s why some hackers have started using widely-trusted websites like Twitter to execute certain steps of steganographic payload cyberattacks.
Several malware variants have been discovered that use steganography in their attack strategies, including Microcin, NetTraveler, Zberp, Kins, ZeusVM, and Triton.
These payloads may fly under the radar of many security solutions, but there are a few detection procedures—like the histogram method and the RS (regular/singular) method—that can help with identifying them.
Best practices against steganographic payloads
Though the histogram and RS methods can help with analyzing and identifying payloads, you can enforce a few best practices in your IT environment to prevent them from ever affecting your organization’s devices. You should:
Harden software distribution procedures so that users may not download software from untrusted sources, as untrusted software may contain steganographic code embedded in them. Blacklitsing and whitelisting software also comes in handy here.
If you suspect an image could contain malicious code, look at the image with the help of an image editing software. If there are duplications of any colors in the image or if the image size is larger than usual, this could indicate a steganographic attack.
Partition your network to reduce the impact should any devices in your network fall victim to a steganographic attack.
Monitor outbound traffic with proper firewall policies to identify any anomalous behavior.
Blacklist malicious websites using proper browser security procedures.
Define proper email policies and configurations to prevent users from downloading attachments from unknown senders that may contain embedded files and images in steganographic code.
Limit user privileges on network share and drives to avoid allowing payloads to spread across all devices.
Utilizing the above best practices inside your organization can reduce the chances of devices being exposed to steganographic cyberattacks. Best practices like file auditing, automated patch management, browser security management, email security management, and malware detection can reduce your chances of falling victim to steganography-based threats.