Steganography, or the practice of concealing a file, message, image or video within another file, message, image or video, may be an older technique, but it continues to be an incredibly versatile and effective method for obscuring or hiding information in plain sight. In 2017, IBM X-Force has identified three different malware samples in network attacks containing cryptocurrency CPU-mining tools hidden within fake image files.
In September 2017, IBM X-Force reported a sixfold increase in these types of attacks. The X-Force team identified the use of steganography to hide embedded mining tools via command injection (CMDi) attacks detected by IBM Security’s managed intrusion detection and prevention system (IDPS) service. Cybercriminals continue to use steganography, likely because it is easy to convince users to open images without prompting suspicion.
Below is an analysis of the most prevalent of the three malware samples used in the attacks. Although only one sample is analyzed here, the others resemble it in the way they work. We have included indicators of compromise (IoCs) for all three samples nonetheless.
Hiding in Plain Sight
The most prevalent malware sample in the attack examples analyzed by X-Force uses steganography to hide a malicious image file called fantasy-938617.jpg.
The following URL path is the value detected by the IBM X-Force command injection rule:
Attackers often abuse legitimate services, such as free image hosting services that allow users to post images to different platforms. This can allow the attacker to spread malware from a variety of legitimate sources to multiple users.
The file fantasy-938617.jpg in the URL above is the fake image and the string dd+skip=2931+bs=1|sh that follows it is an instruction for the targeted endpoint/server to convert and execute the malicious code as shell code.
Now, let’s break down the components of the string dd+skip=2931+bs=1|sh:
- dd is a Linux tool used for copying and converting files into other formats.
- skip moves the current pointer of the input stream. The malware author uses skip to force the server to ignore data at the beginning of the input stream and move directly to the embedded malicious code.
- The image code has a valid image header and the code below it actually displays an image. The image file is transferred to the victim using command line URL (cURL) with instructions to skip to a position in the file where the shell code begins.
- |sh executes the code that is piped to the system shell according to the schedule set in the crontab.
This is the image displayed to the victim:
Below is a partial capture of the code behind the image:
Below is the beginning of the script and where the skip points to begin execution. The code prior to this script is the .jpg image.
The function DoMiner() represents the start of the code that executes a coin miner malware. After the malware is installed, the victim’s endpoint becomes a slave in a botnet that mines cryptocurrency for a cybercriminal.
Not Steganography’s First Time at the Rodeo
There are many older examples of cybercriminals using steganography to carry out their malicious deeds. The Stegoloader backdoor Trojan, for one, has been plaguing victims for more than five years. In early 2015, the Vawtrak malware used steganography to hide update files in favicons, which are small icon files associated with a particular website or webpage. The Stegano campaign, launched in late December 2016, used steganography to hide malvertising, or malware in banner ads.
More recently, IBM X-Force discovered a small-scale malware campaign involving a Neutrino bot dropping a payload that contained two Zeus malware breeds: Atmos and Zberp. The Zberp Trojan uses steganography to hide its configuration file.
Detecting Malicious Steganography
The delivery mechanism for all three malware samples analyzed was command injection, which was also the catalyst for their detection. However, as indicated earlier, steganography has been used with a variety of delivery methods, and detection of this technique can be tricky since it may not always be possible through network rules alone.
For example, our CMDi rule detected the skip instructions in the samples analyzed; however, network rules wouldn’t detect the code behind the image. Attackers’ use of the steganography toolkit StegoSploit demonstrates the additional need for behavioral analytics. An attacker can use the toolkit to embed malicious code within an image and perform a drive-by download attack to deliver the malware to the victim.
To increase the detection capabilities of malware hiding via steganography, enterprises may want to invest in a malware sandbox that can provide behavior-based analysis and work as part of an integrated security immune system. Integration with network protection and a threat intelligence platform can help analysts keep track of what’s important when it comes to identifying evasive malware.
Below are IoCs for each of the malware samples analyzed. Please access our X-Force Exchange collection for additional information.
- MD5: b310fd27ce633c4220b2c832db3a5f79
- SHA1: f229cb063f546ec02742d3b7e52815b6caa56d2d
- SHA256: 28452dc29d86bcc21e8a98920484e235ff0e88f42283a16b9b6a9aea75b62366ssdeep
- File Size: 1.4 KB (1408 bytes)
- Source IP: 220.127.116.11
Filename: 58837466f1237.jpg, test123
- MD5: 08f7eac49ffedc720844338290dab1ec
- SHA1: 179f62b0a505c889d865e8feff7f59379e4ed885
- SHA256: 62e0b77235665a15aa44c4b6e0da80b87fad33803a201d18db8871f4abb0d2c2ssdeep
- File Size 1.2 MB (1220610 bytes)
- File Type: JPEG
- Source IP: 18.104.22.168
- MD5: 4e13b60a707d1159230b140c9059b9c4
- SHA1: c67190b1281e7ca606de6dacd7147990398ce2b3
- SHA256: 6a6a8c0888d9187a6c19c5e12535534990f646e1397b06be4a054c9789a08f3fssdeep
- File Size: 5.6 KB (5727 bytes)
- File Type JPEG
- Source IP: 22.214.171.124