Hiding in Plain Sight: How Malware Can Be Concealed Using Steganography in Images?

In cybersecurity, attackers constantly evolve and develop new ways to conceal malicious code within files. One such method is steganography, the practice of hiding secret information within an ordinary, non-secret message or file. In the context of digital images, steganography involves embedding secret data within the pixels of an image without affecting its visual appearance.

While steganography can be used for legitimate purposes, such as protecting sensitive information, it can also be used by attackers to hide malware within seemingly innocent files. Malware hidden in images using steganography can evade detection by traditional antivirus software, making it an effective tool for attackers.

To hide malware within an image using steganography techniques, attackers typically follow these steps:

1. Selecting an image file: Attackers typically choose a common image format such as JPEG, PNG, or BMP as the carrier file for their malware. The chosen file should be sufficient to hold the malware payload without significantly affecting the file size or visual appearance.
2. Creating a malware payload: The malware payload is the code or data the attacker wants to hide within the image. The payload can be any type of malware, such as a virus, trojan, or backdoor.
3. Encoding the payload: The payload is then encoded using steganography techniques to create a new image file. The payload is embedded within the image by modifying the least significant bits of the pixel values. Since the modifications are minor and the overall color values of the pixels are not significantly affected, the human eye cannot detect any changes in the image.
4. Distributing the image: The attacker then distributes the image file containing the hidden malware through various channels such as email, social media, or malicious websites. Once the image file is downloaded and opened, the hidden malware payload can be executed, potentially causing harm to the victim's system.

Detecting steganography is difficult for anti-malware tools because the modifications made to an image are so small. Additionally, steganography attacks typically appear as zero-day threats, making detection even more challenging.
One example of malware that uses steganography is LokiBot, which steals sensitive information such as usernames, passwords, and cryptocurrency wallets. LokiBot installs itself as a .jpg and .exe file, with the .jpg file unlocking the data needed for implementation.
 

New LokiBot Malware Variant Uses Steganography to Hide Its Code
LokiBot, a malware family first known for stealing information and keylogging, has been updated with new capabilities to improve its ability to evade detection. A recent analysis of a new LokiBot variant by Trend Micro Research revealed that the malware now employs steganography. This technique allows it to hide its code within an image file. The malware also uses an updated persistence mechanism and spam mail containing malicious ISO file attachments for delivery.

For example, Trend Micro discovered the new LokiBot variant when a Southeast Asian company subscribed to the firm's Managed Detection and Response service received an email containing a potentially malicious attachment and alerted them. The email contained an attachment allegedly from a confectionery company in India. Still, the sender's name and email signature did not match, and the email's IP address was known to be malicious.

The malware is installed as %Temp%[filename].exe, along with %temp%[filename].jpg, which contains encrypted binary data used throughout the unpacking stages until the main LokiBot code is decrypted in memory. Once decrypted, the malware steals credentials from the target application.

By using steganography, LokiBot adds an additional layer of obfuscation to its code and uses a Visual Basic script file interpreter to execute its code instead of executing the malware itself. This technique makes it harder to detect and analyze the malware.
 

How to protect yourself
To protect against image steganography, organizations should pay close attention to each image and use image editing software to look for indicators of steganography. They should also segment the network, configure anti-malware to detect binders, install applications with trusted signatures, monitor outgoing traffic, and control the use of steganography software. In addition, Protectstar recommends using behavioral AI software to detect the execution of malicious code, regardless of whether it originates from an image or other file or even if it is fileless malware, such as Antivirus AI can do.

Hackers are constantly developing new ways to evade detection, and image steganography is an old-school technique that has resurfaced in a more sophisticated form. Image steganography involves hiding code within an innocuous image, making it difficult for cybersecurity experts to detect. Hackers have used this method to hide information in plain sight, using legitimate services such as free image hosting services to spread their malware to as many users as possible.

It's easy for hackers to conceal malicious code in digital content by altering pixels to embed malware. As the differences in color values between altered and unaltered pixels are undetectable by human eyesight, scanning every image for hidden data is time-consuming for machines, especially when the threat is unknown. Image steganography can be used to hide the payload within the code itself or to call additional code or executables associated with attacks.
 

Steganography's limited delivery mechanism translates into low frequency and cannot achieve the high volumes that cybercriminals traditionally prefer. However, image steganography toolkits are widely available, with hundreds of free apps on the market, making it easy for an amateur with malicious intent to abuse them. The history of steganography dates back to the ancient world when secret messages were hidden in wax tablets or under the text of innocent-looking letters. The techniques and tools for steganography have evolved and have been used for various purposes, from military communications to digital piracy.

In the modern digital age, steganography has become an important tool for hackers to conceal malware and carry out cyberattacks. Image steganography, in particular, is widely used by attackers to hide malicious code in plain sight, making it difficult for traditional antivirus software to detect.

To prevent steganography-based attacks, organizations can use specialized security tools that can analyze image files for the presence of hidden data. In addition, anti-malware software that includes steganography detection capabilities can also effectively identify and block malware hidden in images.

In addition, organizations should follow best practices for cybersecurity, such as regularly updating software and operating systems, using strong passwords, and avoiding suspicious links and attachments in emails. Employee training and awareness programs can also help educate staff on how to recognize and respond to cyber threats.

As the threat landscape evolves, organizations must remain vigilant and proactive in their cybersecurity efforts to protect against steganography-based attacks and other emerging threats. Organizations can reduce their risk and enhance their overall cybersecurity posture by taking a multi-layered approach to security and utilizing advanced technologies such as CDR.
 

Learn more

Antivirus AI:
https://www.protectstar.com/en/products/antivirus-ai

Firewall AI:
https://www.protectstar.com/en/products/firewall-ai

LokiBot Gains New Persistence Mechanism, Steganography:
https://www.trendmicro.com/en_us/research/19/h/lokibot-gains-new-persistence-mechanism-uses-steganography-to-hide-its-tracks.html