In a previous blog, I discussed content disarm and reconstruction (CDR) at a high level. Today we’ll take a closer look at CDR with respect to steganography in images. Steganography is the art of hiding information in plain sight. Stealth is nothing new to cybercriminals, in fact back in 1986 the first PC virus, Brain, was using stealth, but boot sector replacement is not robust enough for the demanding needs of modern threat actors. To step up their game to the virtually undetectable, they are often turning to steganography. Not only does steganography enable covert communications and data exfiltration, but malware can also be delivered by encoding entire files in images.
A Picture Says 20 Words or So:
A Picture Says 20 Words or So:
Source: Randy Abrams
This picture of Barney contains steganography. In this case, the steganography was encoded at the beautify converter website and the encoded message is: DC admin username: Kaseya. PW:Solarwinds. Detach Malware. Create autorun entry. You will receive the Bitcoins after backdoor is validated. APT Threat Actors and Steganography Threat actors using steganography is nothing new. In 2011 McAfee released a report that over 70 organizations in 14 countries had been targets of an attack that used a piece of malware called Shady RAT. Evidentially, due to global warming, even the rats are looking for shade. But I digress. The attack was reported to have been ongoing for at least five years. Part of what provided the attack with such longevity is that the Shady Rat trojan employed steganography to facilitate communications with its command and control (C2C) center. More recently Malwarebytes reported an attack against Azerbaijan that used steganography to drop a payload. How common is the use of steganography in cyber-attacks? Who knows, you can’t see it. But we do know that the following groups have been known to use steganography:- According to MITRE ATT&CK®, APT29, an advanced persistent threat group attributed to Russia’s Foreign Intelligence Service and believed to be behind the attack against the Democratic National Committee, has used image steganography to hide communications between command and control (C2) centers.
- APT37, attributed to North Korea, has used pictures with embedded shellcode to users, as well as hiding malicious DLLs in PNG pictures.
- Ramsey, a malware framework uses steganography to embed malicious code in portable network graphic files housed in word documents. We’ll take a deeper look at some documents with images, etc. in our next blog.
- Oilrig, sometimes called APT34 has used steganography in supply chain attacks against critical infrastructure companies.
- The US Cybersecurity and Infrastructure Security Agency includes steganography in the tactics used by APT40.