Steganography: How secret code in media files becomes a threat to IT security
by Tina Siering
What is steganography and how does it work today?
Steganography is a term borrowed from the Greek, composed of the two words στεγανός for "hidden" and γραφία for "writing". Steganography describes the process of concealing messages in a carrier medium. In the process, information is hidden in such a way that third parties do not suspect anything when looking at the carrier medium and cannot perceive the mere existence of the secret information.
The use of steganography can be traced back to ancient times. A rather elaborate procedure is known from ancient Rome. In order to transport information securely from one place to another, the "means of transport" at that time was slaves. First, the slave's head was shaved and then a message was tattooed on the scalp. After the hair had grown back completely, the slave was sent to the recipient of the message. This was followed by another shaving of the head - and the message became visible.
Another example from the distant past is the use of wax tablets, a common medium for writing in ancient times. The wax tablets usually contained messages that were carved into the wax. To disguise the secret messages, they were carved into the wood underneath, then wax was poured over them and this was then covered with an innocuous message.
Pictures are also excellent for hiding secret messages. Leonardo da Vinci, who left messages in many of his works, also knew this. Or think of older crime films, in which spies smuggled secret information on microfilms from the headquarters of the enemy. With microfilm, texts are reduced to the size of a typewriter dot - illegible to the human eye and extremely easy to hide.
In today's world, steganography has been digitized, making it particularly dangerous. This is because malicious code can now be hidden behind every image, audio file or in video formats. Digital steganography is divided into five different types:
- Image steganography - Hidden data in image files
- Video steganography - Hidden data in video files
- Text steganography - Coded information in text files
- Audio steganography - Secret messages embedded in audio signals
- Network steganography - Information embedded in network protocol
The most common form of steganography today is hiding malware in image files. Here it is made particularly easy for the hackers, because with the tool "Steghide" a particularly easily accessible possibility is available to hide malicious software. With a click of the mouse, data packets can be hidden in the metadata of the image file or in the pixels. The hidden information is not visible to the naked eye. The prepared image is then sent as an attachment to an e-mail, placed on websites or distributed as a meme on Twitter. The big security problem: Tools for steganography are easily available - and at the same time, the vast majority of security tools do not recognize the manipulated data.
How do hackers use steganography for their purposes?
Although in principle any digital object (such as a text document, a license key, or a file extension) is suitable for hiding information, cyber attackers rely primarily on photo, video, and audio files. These media files are larger than, for example, text documents, so the additional malware embedded can be hidden much more inconspicuously. Images are extremely popular - in the form of memes shared on social networks or even pornographic content. Technically, digital images are nothing more than a collection of pixels in which the information about the displayed color is stored. In the common RGB format, the color description occupies up to 24 bits of storage space per pixel. If hackers use one or two bits per pixel to store malicious code, this addition is no longer recognizable as such. If one now scales up the number of pixels per image, this results in an extensive possibility of hiding data in an image. What reads technically sophisticated, however, does not require professional expertise in reality. Although there are highly specialized steganographers who write scripts, it usually suffices to take a quick look at the Darknet, where ready-made tools and code are easily available for download.
So how exactly is steganography used - and for what purpose? The method is particularly popular in the field of cyber espionage. If an attacker has succeeded in penetrating a network and tapping into sensitive data, this data must be sent "outside" without being detected - usually to so-called command and control servers, via which the attackers control the campaign. While security tools and IT security staff keep a close eye on outgoing data traffic, unsuspicious media files uploaded to the network often remain under the security radar.
Direct attacks on a victim's computer can also be carried out using information hidden in media files. In a large-scale campaign, cyber attackers relied on memes distributed via Twitter. The memes, innocuous, amusing and actually harmless images, were used to communicate with malware that had already been planted in advance. The malware opened the corrupted tweet, retrieved the hidden instructions and the criminal work began. Screenshots from the desktop, copying data, collecting information about running processes on the computer - the supposedly funny images caused serious damage to the affected systems.
The Difficulty of Detecting Stereographic Code
Toolkits for attacks using steganography are cheap, readily available and cannot be classified as typical hacking tools. No wonder that manipulated media files are an extremely attractive invasion vector for cybercriminals, difficult only to detect. Even continuously updated virus scanners regularly fail to detect prepared media files.
Bypassing these protection tools with the help of a supposedly harmless file works because most malware protection products use signatures to search for criminal content. And not, as with steganography, for a harmless file in which the configuration file (e.g. for bot commands) is embedded.
The best practical tip to protect against steganographic threats is the old adage: "Think first, then click!" As a matter of principle, files from unknown sources or from untrustworthy senders should never be opened, but deleted immediately. This applies not only to e-mails, but also to all other channels through which messages can be transmitted. Apart from e-mail, social networks and compromised websites are the most popular ways for steganography to spread.
The following measures to protect against steganographic threats will help:
- Only use applications that allow trusted signatures from trusted providers.
- Have a central repository of trusted enterprise applications and tighten software distribution mechanisms.
- Protect against risky software from dubious sources.
- Also deploy network segmentation to contain the attack in the event of a successful attack. Continuous monitoring of network traffic makes it easier to quickly strip it down.
- Accordingly, configure your malware protection to also detect binders that may be included in steganographic images. Binders are software tools that are able to merge two different .exe files into one file, placing malicious files in a reputable one.
Endpoint protection solutions can also assist in identifying steganographic software. However, once malware is successfully placed (and activated) on the network, a "managed detection and response" (MDR) solution helps detect malicious C2 communications early, such as Allgeier secion's Active Cyber Defense (ACD) service. ACD proactively and continuously scans the corporate network for anomalies. In the event that systems are compromised, Allgeier secion's ACD team informs its customers' IT teams when action is needed to avert damage from attackers. The 24/7 service thus helps as an early warning system to actively, proactively and permanently secure the corporate network.
Steganography has been used to transmit secret information since ancient times. Modern hackers have also discovered the discreet form of data transmission for themselves - and use inexpensive, readily available tools to add malicious code to media files of all kinds.
"The one" effective weapon in the fight against the incredibly difficult-to-detect malicious code does not exist. However, proactive attack detection in the form of a managed service by specialized IT security teams is an important support should successful malware infiltration due to steganography ever occur. As an alternative to internal SIEM/SOC solutions, Allgeier secion offers the Active Cyber Defense service (ACD), a reliable "managed detection and response" service for monitoring corporate networks - around the clock and 365 days a year, looking for communication artifacts (beacons) - and not based on signatures.