Steganography, or the practice of concealing a file, message, image or video within another file, message, image or video, may be an older technique, but it continues to be an incredibly versatile and effective method for obscuring or hiding information in plain sight. In 2017, IBM X-Force has identified three different malware samples in network attacks containing cryptocurrency CPU-mining tools hidden within fake image files.

In September 2017, IBM X-Force reported a sixfold increase in these types of attacks. The X-Force team identified the use of steganography to hide embedded mining tools via command injection (CMDi) attacks detected by IBM Security’s managed intrusion detection and prevention system (IDPS) service. Cybercriminals continue to use steganography, likely because it is easy to convince users to open images without prompting suspicion.

Below is an analysis of the most prevalent of the three malware samples used in the attacks. Although only one sample is analyzed here, the others resemble it in the way they work. We have included indicators of compromise (IoCs) for all three samples nonetheless.

Hiding in Plain Sight

The most prevalent malware sample in the attack examples analyzed by X-Force uses steganography to hide a malicious image file called fantasy-938617.jpg.

The following URL path is the value detected by the IBM X-Force command injection rule:

Attackers often abuse legitimate services, such as free image hosting services that allow users to post images to different platforms. This can allow the attacker to spread malware from a variety of legitimate sources to multiple users.

The file fantasy-938617.jpg in the URL above is the fake image and the string dd+skip=2931+bs=1|sh that follows it is an instruction for the targeted endpoint/server to convert and execute the malicious code as shell code.

The targeted system in this case is the JBoss application server as identified by the URL path /jexws4/jexws4.jsp. The JavaScript file jexws4.jsp is not native to JBoss software — it’s actually a component of the JexBoss exploit tool. JexBoss is a tool for testing and exploiting Java deserialization vulnerabilities in JBoss application servers. If JexBoss is resident on the target machine, it would indicate that the server is compromised and will allow shell commands to be executed. In this case, the attacker mostly likely scanned for JBoss application servers that had already been compromised and then conducted a CMDi attack.

Now, let’s break down the components of the string dd+skip=2931+bs=1|sh:

  • dd is a Linux tool used for copying and converting files into other formats.
  • skip moves the current pointer of the input stream. The malware author uses skip to force the server to ignore data at the beginning of the input stream and move directly to the embedded malicious code.
  • The image code has a valid image header and the code below it actually displays an image. The image file is transferred to the victim using command line URL (cURL) with instructions to skip to a position in the file where the shell code begins.
  • |sh executes the code that is piped to the system shell according to the schedule set in the crontab.

This is the image displayed to the victim:

Below is a partial capture of the code behind the image:

Below is the beginning of the script and where the skip points to begin execution. The code prior to this script is the .jpg image.

The function DoMiner() represents the start of the code that executes a coin miner malware. After the malware is installed, the victim’s endpoint becomes a slave in a botnet that mines cryptocurrency for a cybercriminal.

Not Steganography’s First Time at the Rodeo

There are many older examples of cybercriminals using steganography to carry out their malicious deeds. The Stegoloader backdoor Trojan, for one, has been plaguing victims for more than five years. In early 2015, the Vawtrak malware used steganography to hide update files in favicons, which are small icon files associated with a particular website or webpage. The Stegano campaign, launched in late December 2016, used steganography to hide malvertising, or malware in banner ads.

More recently, IBM X-Force discovered a small-scale malware campaign involving a Neutrino bot dropping a payload that contained two Zeus malware breeds: Atmos and Zberp. The Zberp Trojan uses steganography to hide its configuration file.

Detecting Malicious Steganography

The delivery mechanism for all three malware samples analyzed was command injection, which was also the catalyst for their detection. However, as indicated earlier, steganography has been used with a variety of delivery methods, and detection of this technique can be tricky since it may not always be possible through network rules alone.

For example, our CMDi rule detected the skip instructions in the samples analyzed; however, network rules wouldn’t detect the code behind the image. Attackers’ use of the steganography toolkit StegoSploit demonstrates the additional need for behavioral analytics. An attacker can use the toolkit to embed malicious code within an image and perform a drive-by download attack to deliver the malware to the victim.

To increase the detection capabilities of malware hiding via steganography, enterprises may want to invest in a malware sandbox that can provide behavior-based analysis and work as part of an integrated security immune system. Integration with network protection and a threat intelligence platform can help analysts keep track of what’s important when it comes to identifying evasive malware.

Sample IoCs

Below are IoCs for each of the malware samples analyzed. Please access our X-Force Exchange collection for additional information.

Filename: logo.jpg

  • MD5: b310fd27ce633c4220b2c832db3a5f79
  • SHA1: f229cb063f546ec02742d3b7e52815b6caa56d2d
  • SHA256: 28452dc29d86bcc21e8a98920484e235ff0e88f42283a16b9b6a9aea75b62366ssdeep
  • 24:Jqnvy8+rLa5sBuQGdGA6GvDZGvDT82YNsADmyADYsADTADz1w/:JjWDMDG2ADxADbADTADz1I
  • File Size: 1.4 KB (1408 bytes)
  • Source IP: 91.230.47.40

Filename: 58837466f1237.jpg, test123

  • MD5: 08f7eac49ffedc720844338290dab1ec
  • SHA1: 179f62b0a505c889d865e8feff7f59379e4ed885
  • SHA256: 62e0b77235665a15aa44c4b6e0da80b87fad33803a201d18db8871f4abb0d2c2ssdeep
  • 24576:dEX3yP0ghoMApslmzW2B2zMPpoOabQuq0+wn4d8OJjfaMRG:Ctgvu4qyq0+w4fJjfw
  • File Size 1.2 MB (1220610 bytes)
  • File Type: JPEG
  • Source IP: 47.88.220.21

Filename: fantasy-938617.jpg

  • MD5: 4e13b60a707d1159230b140c9059b9c4
  • SHA1: c67190b1281e7ca606de6dacd7147990398ce2b3
  • SHA256: 6a6a8c0888d9187a6c19c5e12535534990f646e1397b06be4a054c9789a08f3fssdeep
  • 96:ArbWsYZQpswDH+6FrxxjujFYmhQT1OuUZoGQT5VO0s:AyZAsyHPFrzAYZ1ORoVT5E
  • File Size: 5.6 KB (5727 bytes)
  • File Type JPEG
  • Source IP: 104.27.180.36

Read the complete X-Force research Report: Evading the Malware Sandbox

More from Malware

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

7 min read