Light Dark
November 16, 2017 By Dave McMillen 4 min read
Malware
Threat Intelligence
X-Force

Steganography, or the practice of concealing a file, message, image or video within another file, message, image or video, may be an older technique, but it continues to be an incredibly versatile and effective method for obscuring or hiding information in plain sight. In 2017, IBM X-Force has identified three different malware samples in network attacks containing cryptocurrency CPU-mining tools hidden within fake image files.

In September 2017, IBM X-Force reported a sixfold increase in these types of attacks. The X-Force team identified the use of steganography to hide embedded mining tools via command injection (CMDi) attacks detected by IBM Security’s managed intrusion detection and prevention system (IDPS) service. Cybercriminals continue to use steganography, likely because it is easy to convince users to open images without prompting suspicion.

Below is an analysis of the most prevalent of the three malware samples used in the attacks. Although only one sample is analyzed here, the others resemble it in the way they work. We have included indicators of compromise (IoCs) for all three samples nonetheless.

Hiding in Plain Sight

The most prevalent malware sample in the attack examples analyzed by X-Force uses steganography to hide a malicious image file called fantasy-938617.jpg.

The following URL path is the value detected by the IBM X-Force command injection rule:

Attackers often abuse legitimate services, such as free image hosting services that allow users to post images to different platforms. This can allow the attacker to spread malware from a variety of legitimate sources to multiple users.

The file fantasy-938617.jpg in the URL above is the fake image and the string dd+skip=2931+bs=1|sh that follows it is an instruction for the targeted endpoint/server to convert and execute the malicious code as shell code.

The targeted system in this case is the JBoss application server as identified by the URL path /jexws4/jexws4.jsp. The JavaScript file jexws4.jsp is not native to JBoss software — it’s actually a component of the JexBoss exploit tool. JexBoss is a tool for testing and exploiting Java deserialization vulnerabilities in JBoss application servers. If JexBoss is resident on the target machine, it would indicate that the server is compromised and will allow shell commands to be executed. In this case, the attacker mostly likely scanned for JBoss application servers that had already been compromised and then conducted a CMDi attack.

Now, let’s break down the components of the string dd+skip=2931+bs=1|sh:

  • dd is a Linux tool used for copying and converting files into other formats.
  • skip moves the current pointer of the input stream. The malware author uses skip to force the server to ignore data at the beginning of the input stream and move directly to the embedded malicious code.
  • The image code has a valid image header and the code below it actually displays an image. The image file is transferred to the victim using command line URL (cURL) with instructions to skip to a position in the file where the shell code begins.
  • |sh executes the code that is piped to the system shell according to the schedule set in the crontab.

This is the image displayed to the victim:

Below is a partial capture of the code behind the image:

Below is the beginning of the script and where the skip points to begin execution. The code prior to this script is the .jpg image.

The function DoMiner() represents the start of the code that executes a coin miner malware. After the malware is installed, the victim’s endpoint becomes a slave in a botnet that mines cryptocurrency for a cybercriminal.

Not Steganography’s First Time at the Rodeo

There are many older examples of cybercriminals using steganography to carry out their malicious deeds. The Stegoloader backdoor Trojan, for one, has been plaguing victims for more than five years. In early 2015, the Vawtrak malware used steganography to hide update files in favicons, which are small icon files associated with a particular website or webpage. The Stegano campaign, launched in late December 2016, used steganography to hide malvertising, or malware in banner ads.

More recently, IBM X-Force discovered a small-scale malware campaign involving a Neutrino bot dropping a payload that contained two Zeus malware breeds: Atmos and Zberp. The Zberp Trojan uses steganography to hide its configuration file.

Detecting Malicious Steganography

The delivery mechanism for all three malware samples analyzed was command injection, which was also the catalyst for their detection. However, as indicated earlier, steganography has been used with a variety of delivery methods, and detection of this technique can be tricky since it may not always be possible through network rules alone.

For example, our CMDi rule detected the skip instructions in the samples analyzed; however, network rules wouldn’t detect the code behind the image. Attackers’ use of the steganography toolkit StegoSploit demonstrates the additional need for behavioral analytics. An attacker can use the toolkit to embed malicious code within an image and perform a drive-by download attack to deliver the malware to the victim.

To increase the detection capabilities of malware hiding via steganography, enterprises may want to invest in a malware sandbox that can provide behavior-based analysis and work as part of an integrated security immune system. Integration with network protection and a threat intelligence platform can help analysts keep track of what’s important when it comes to identifying evasive malware.

Sample IoCs

Below are IoCs for each of the malware samples analyzed. Please access our X-Force Exchange collection for additional information.

Filename: logo.jpg

  • MD5: b310fd27ce633c4220b2c832db3a5f79
  • SHA1: f229cb063f546ec02742d3b7e52815b6caa56d2d
  • SHA256: 28452dc29d86bcc21e8a98920484e235ff0e88f42283a16b9b6a9aea75b62366ssdeep
  • 24:Jqnvy8+rLa5sBuQGdGA6GvDZGvDT82YNsADmyADYsADTADz1w/:JjWDMDG2ADxADbADTADz1I
  • File Size: 1.4 KB (1408 bytes)
  • Source IP: 91.230.47.40

Filename: 58837466f1237.jpg, test123

  • MD5: 08f7eac49ffedc720844338290dab1ec
  • SHA1: 179f62b0a505c889d865e8feff7f59379e4ed885
  • SHA256: 62e0b77235665a15aa44c4b6e0da80b87fad33803a201d18db8871f4abb0d2c2ssdeep
  • 24576:dEX3yP0ghoMApslmzW2B2zMPpoOabQuq0+wn4d8OJjfaMRG:Ctgvu4qyq0+w4fJjfw
  • File Size 1.2 MB (1220610 bytes)
  • File Type: JPEG
  • Source IP: 47.88.220.21

Filename: fantasy-938617.jpg

  • MD5: 4e13b60a707d1159230b140c9059b9c4
  • SHA1: c67190b1281e7ca606de6dacd7147990398ce2b3
  • SHA256: 6a6a8c0888d9187a6c19c5e12535534990f646e1397b06be4a054c9789a08f3fssdeep
  • 96:ArbWsYZQpswDH+6FrxxjujFYmhQT1OuUZoGQT5VO0s:AyZAsyHPFrzAYZ1ORoVT5E
  • File Size: 5.6 KB (5727 bytes)
  • File Type JPEG
  • Source IP: 104.27.180.36

Read the complete X-Force research Report: Evading the Malware Sandbox

 |  |  |  |  |  |  | 
Dave McMillen
Senior Threat Researcher, IBM X-Force

More from Malware
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

June 6, 2023

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

June 1, 2023

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature