Images with hidden messages aren't new - but steganography hides data beyond view
Images with hidden messages aren't new - but steganography hides data beyond view

Attacks using steganographic techniques are on the rise, according to researchers at Kaspersky Labs. But methods to detect such attacks are improving, they said.

Steganography is the practice of sending data in a concealed format. It is unlike cryptography, which conceals the contents of a secret message as steganography conceals and disguises the very fact that a message is being communicated.

The use of such methods has increased over time and Kaspersky said that these attacks are hard to detect as the image looks virtually identical to the human eye and the file size also remains unchanged. Several malware operations aimed at cyber-espionage, and several examples of malware created to steal financial information using this technique have recently been caught according to Kaspersky.

The firm said that it has witnessed at least three cyber-espionage operations using this approach. This has included updated versions of Trojans including, Zerp, ZeusVM, Kins, Triton and others.

“Although this is not the first time we have witnessed a malicious technique, originally used by sophisticated threat actors, find its way onto the mainstream malware landscape, the steganography case is especially important,” explained Alexey Shulmin, security researcher at Kaspersky Lab.

“So far, the security industry hasn't found a way to reliably detect the data exfiltration conducted in this way. The images used by attackers as a transportation tool for stolen information are very large, and even though there are some algorithms which could automatically detect the technique, their mass-scale implementation would require tons of computing power and would be cost-prohibitive.” 

He added that it is relatively easy to identify an image “loaded” with stolen sensitive data with the help of manual analysis. “However, this method has limitations, as a security analyst would only be able to analyse a very limited number of images per day,” he said.

Shulmin added that using a combination of technologies for automated analysis and human intellect in order to identify and detect such attacks could be the answer.

“However, there is room for improvement in this area, and the goal of our investigations is to draw industry attention to the problem and enforce the development of reliable yet affordable technologies, allowing the identification of steganography in malware attacks,” he said.

Thomas Fischer, threat researcher and security advocate at Digital Guardian, told SC Media UK that while we know steganography been seen in various malware programs and tools, the exact extent of real-world usage and deployment in organisations is hard to estimate. “This is because steganography is very hard to detect and requires advanced image analytics and processing capabilities. With security budgets stretched thin and a perception that steganography is used only rarely, very few organisations have invested in these detection tools,” he said.

“Potentially more concerning for organisations is the use of steganography to obfuscate data exfiltration. Steganography techniques could provide a very strong method for a malicious user to bypass most traditional data loss prevention tools."

Bogdan Botezatu, senior e-threat analyst at Bitdefender, told SC Media UK that depending on the way the security layers are configured to run at the company's perimeter, some files could be skipped from scanning or from event correlation and reporting because their filetype would not potentially cause any harm alone.

“This is not something that the organisations suffer from the most, because this technique is used to conceal traffic and payloads, but solid behavioural scanning technologies should not have any problems picking the malicious process up,” he said.