Content Disarm and Reconstruction: Don’t Let A Drunk Dinosaur Smoke Your Enterprise

In a previous blog, I discussed content disarm and reconstruction (CDR) at a high level. Today we’ll take a closer look at CDR with respect to steganography in images. Steganography is the art of hiding information in plain sight. Stealth is nothing new to cybercriminals, in fact back in 1986 the first PC virus, Brain, was using stealth, but boot sector replacement is not robust enough for the demanding needs of modern threat actors. To step up their game to the virtually undetectable, they are often turning to steganography. Not only does steganography enable covert communications and data exfiltration, but malware can also be delivered by encoding entire files in images.

A Picture Says 20 Words or So:

Source: Randy Abrams

This picture of Barney contains steganography. In this case, the steganography was encoded at the beautify converter website and the encoded message is: DC admin username: Kaseya. PW:Solarwinds. Detach Malware. Create autorun entry. You will receive the Bitcoins after backdoor is validated. APT Threat Actors and Steganography Threat actors using steganography is nothing new. In 2011 McAfee released a report that over 70 organizations in 14 countries had been targets of an attack that used a piece of malware called Shady RAT. Evidentially, due to global warming, even the rats are looking for shade.  But I digress. The attack was reported to have been ongoing for at least five years. Part of what provided the attack with such longevity is that the Shady Rat trojan employed steganography to facilitate communications with its command and control (C2C) center. More recently Malwarebytes reported an attack against Azerbaijan that used steganography to drop a payload.  How common is the use of steganography in cyber-attacks? Who knows, you can’t see it. But we do know that the following groups have been known to use steganography:
  • According to MITRE ATT&CK®, APT29, an advanced persistent threat group attributed to Russia’s Foreign Intelligence Service and believed to be behind the attack against the Democratic National Committee, has used image steganography to hide communications between command and control (C2) centers.
  • APT37, attributed to North Korea, has used pictures with embedded shellcode to users, as well as hiding malicious DLLs in PNG pictures.
  • Ramsey, a malware framework uses steganography to embed malicious code in portable network graphic files housed in word documents. We’ll take a deeper look at some documents with images, etc. in our next blog.
  • Oilrig, sometimes called APT34 has used steganography in supply chain attacks against critical infrastructure companies.
  • The US Cybersecurity and Infrastructure Security Agency includes steganography in the tactics used by APT40.
Malware such as the data wiping Shamoon, and the Zeus banking Trojan have used steganography to facilitate their nefarious deeds as well. Steganography and encryption differ in that encryption is not designed to hide the fact that communications are happening, but rather to make the information unintelligible. Encryption is relatively easy to spot; it has very high entropy. Steganography is all about hiding the fact that a purple dinosaur smoking, and drinking Bushmills, is communicating with someone, or something, at all. Images are not the only type of files that can be used for steganography. Of the many types of files, MP3s are among the easiest to show as a visual example. No doubt you all recognize that the part of the file shown on the right belongs to the song “What’s Up” by 4 Non Blondes. The MP3 has been modified and you can see the entire Eicar test file in the data. MP3s are very forgiving, and you probably won’t hear the difference at all. But it does get better. There are a variety of techniques to further hide the payload (eicar.com). For a message within the code, I can place each individual letter in different locations, such as 12 bytes apart. Now it’s much harder to find the message, but if I encrypt the information prior to inserting it into a file, then even if you somehow knew that the file contained steganography, and you were able to extract the hidden data, you still can’t do anything with it. Good luck with that. The Right Tool For The Job. Content disarm and reconstruction deals with steganography by making alterations to the containers. Changing the resolution of an image destroys steganography as can converting the image to a different format, such as changing a PNG to a JPG. Even a minor change to the bit rate of a song can break the encoded content. You might need to know what to look for, but CDR doesn’t need to. CDR simply assumes everything is dangerous and sanitizes it. Files processed with CDR are referred to as sanitized. Although it may seem trivial to make these changes, it’s typically more complicated than it sounds. If the picture is embedded in email, for example, the email message must be deconstructed, the image or other filetype processed, and then put back together in a fully functional message. It does get better. What if the picture is in a binary file, such as an older version of Microsoft Office documents? Yeah, you got it. Rip apart the binary, extract the image, process the image, and put it back together as a fully functional document. Perhaps not fully functional. The booby-trapped file no longer talks to the C2C Center. But that’s OK. Steganography is a serious security risk that appears to be on a continuing upward trajectory. There are tools that are still being developed that are able to detect the presence of steganography, but an encrypted payload remains unintelligible. An article on Securelist by Kaspersky provides some interesting, if you like math and other four-letter words, insight into methods being used to detect steganography. In my next blog about CDR, we’ll dissect a modern document to demonstrate CDR dealing with much more than just steganography. Before I sign off, just remember, that the corporate logo at the top of your email may have more to say to cybercriminals than it says to your customers. Randy Abrams Senior Scapegoat SecureIQLab