Steganography explained and how to protect against it

Steganography definition

Steganography is a millennia-old concept that means hiding a secret message within an ordinary-looking file that doesn’t raise any suspicions. The word has Greek roots, being a combination of steganos, which translates to “concealed, protected,” and graphein, which means “writing.”

APT groups, ransomware gangs, and other threat actors often hide information when attacking a target. For example, they might conceal data when exfiltrating it, cloak a malicious tool, or send instructions for command-and-control servers. They could put all this information in unassuming image, video, sound, or text files.

Steganography has a critical advantage over cryptography: In cryptography, you know the secret message is there, only its content is concealed; in steganography, the existence of the secret message is often difficult to notice. Threat actors sometimes use the two techniques together, encrypting a message before sneaking it inside a file.

How steganography works

Steganography is one way malicious actors fly under the radar. “We often see it being used as the initial entry point, and once the threat actors are in the network, there are more tools and code that they will use to move laterally,” Jon Clay, vice president of threat intelligence at Trend Micro, says.

Frequently, the secret data is cleverly hidden inside an image by manipulating a few bits. Still, if users look at the original photo and compare it with the altered one, they can’t tell the difference. To show this, researchers at Kaspersky camouflaged the first ten chapters of Nabokov’s novel Lolita inside the standard image Lenna. The initial photo (Lenna.bmp) and the changed one (Lenna_stego.bmp) look exactly the same to the naked eye. Also, both files are the same size, 786,486 bytes.

Several techniques could be employed to achieve that. One of the oldest ones is the least significant bit (LSB) substitution method, which became popular during the mid-1980s. It allowed the manipulation of roughly 15% of an image by changing the least important bit of each byte, the one farthest to the right.

For instance, in the 11001101 byte, the first “1” on the left is the heaviest, while the “1” on the right carries the least weight. (When converting from binary to decimal, you multiply the “1” on the left by 128 and the “1” on the right by 1,) Thus, manipulating the right-most bit of the sequence makes little impact. Of course, the color of the pixel will be different, but the change will be imperceptible to the human eye.

There are a few variations of this method. When JPEG images are used, attackers can employ a technique called discrete cosine transform (DCT), which allows sending data by altering the LSBs of the DCT coefficients of an image. There’s also palette-based image steganography, in which data is encoded into the LSB of the image palette. Both these methods can carry only small amounts of secret data.

An even more powerful method is the bit-plane complexity segmentation (BPCS), presented in the late 1990s by computer scientists Richard Eason and Eiji Kawaguchi. The two showed that they could alter about 50% of an image without users perceiving any difference. Their trick was to divide an image into an “informative region” and a “noise-like region” and then to hide the secret data in the noise blocks.

A few wideband methods are also used in steganography, such as the pseudorandom sequence (a secret stego-container is modulated by a pseudorandom signal) or the frequency hopping (frequency of the stego-container signal changes according to a specific pseudorandom law).

In the past years, security researchers noticed that attackers work with many types of files, not just images. Trend Micro found evidence that sound-based steganography is slowly becoming popular, as audio-only social media apps like Clubhouse are rising.

In the future, we might also see augmented reality (AR) and virtual reality (VR) based steganography, says Clay. He argues that humans might not be the only ones who could be tricked. “There have been examples of autonomous vehicles that follow visual signposts to drive, and it can cause cars to do things they shouldn’t do,” he says. “As humans move to a more visual medium to communicate, you’re going to see these malicious actors look for ways to take advantage of it and profit off of it.”

Attacks that used steganography techniques

Various types of threat actors, from crooks to cyberespionage groups, have used steganography to conceal information. One of the first powerful malware that took advantage of these techniques was Duqu, discovered in 2011. Its makers encrypted data and embedded it into a JPEG file.

More recently, APT groups like Platinum, OceanLotus/APT32, K3chang/APT15/Mirage/Vixen Panda, and MontysThree relied on steganography for cloaking encrypted payloads or maintaining on-system persistence. Meanwhile, RedBaldKnight/Bronze Butler/Tick built tools that can create, embed, and hide executables or configuration files, and Tropic Trooper/Pirate Panda/KeyBoy masked its backdoor routines and evaded anti-malware and network perimeter detection.

Researchers at Kaspersky have also identified an APT gang they call BountyGlad, which used steganography to support multi-stage implant delivery as a part of a supply chain attack, cloaking shellcode within a PNG file used to deliver the final stage payload. “The most sophisticated APT [groups] often use the simplest steganography techniques in elegant ways,” says Kurt Baumgartner, principal researcher at Kaspersky. He noticed that, for these threat actors, steganography is more than data hidden in JPEGs or BMPs.

“Most frequently, steganographic imagery techniques are used to support multi-staged malicious implant deliveries in intrusions,” Baumgartner adds. “We also see APT hide commands for their implants in web pages with whitespace and within debug logs posted to forums, covertly upload stolen data in images, and maintain persistence by storing encrypted code within specific locations of validly Authenticode-signed executables.”

Ransomware gangs have also learned that using steganography could help them carry out their attacks. Lurk/Stegoloadr, for instance, encrypted URLs and hid them inside a white BMP file that downloaded a second payload. SyncCrypt and Cerber also cloaked parts of their code in image files, and TeslaCrypt cleverly included HTML comment tags in a 404 error page that had instructions for a command-and-control server.

Steganography has also been used by cryptomining malware. For example, SentinelLabs recently discovered a campaign affecting the Docker Linux platform. This threat actor embedded an ELF binary inside a JPEG file to bypass detections by many antivirus software products. “The file was 6MB, which was extremely large for a JPEG,” Marco Figueroa, principal threat researcher at SentinelOne, says. “The size of the JPEG provided a clue that the file had malicious code within it.”

Even actors conducting malvertising campaigns take advantage of steganography. The Stegano/Astrum exploit kit embedded malicious code inside the RGBA transparency value of each pixel of PNG banner ads. When ads were loaded, the malicious code was extracted, and the user was redirected to the exploit kit landing page. Furthermore, the group behind DNSCharge created ads that contained code that launched brute force attacks against users’ home WiFi routers.

What companies can do to protect against steganography

Using steganography during an attack is relatively easy. Protecting against it is much more complicated, as threat actors are getting more innovative and more creative. “Companies should embrace modern endpoint protection technologies that go beyond static checks, basic signatures, and other outdated components as code hidden in images and other forms of obfuscation are more likely to be detected dynamically by a behavioral engine,” Figueroa says.

He has two more tips for organizations and their employees: First, if an image is unusually large, it might be a clue that steganography was used. Second, companies should focus detection efforts directly at the endpoints where encryption and obfuscation are easier to detect.

Trend Micro’s Clay says more should be done to educate users and raise awareness. “Organizations should teach employees that image files can harbor malicious code,” he says. “In addition, organizations should have web filtering for safer browsing and should also stay up to date with the latest security patches when updates are available.”

Kaspersky’s Baumgartner also thinks businesses should do more to protect against such attacks. “A solid host-based antimalware solution will identify actions based on the decrypted commands, find hidden malcode and their loaders delivered with these techniques using heuristic, behavioral, machine learning, and other methods, and suspicious outbound siphoning of data,” he says. “Also, network tracking may help support identification of new steganographically delivered malcode or outbound stolen data.”

While some researchers worry about the creativity of nation-state actors, others believe that any malicious entity could leverage steganography. “Less advanced adversaries are using fairly sophisticated stuff that can go undetected,” Baumgartner says.