Stegomalware – Identifying possible attack vectors

Evasive malware dropped using images

Cyble Research Labs observed a surge in Stegomalware using Steganography during our routine threat-hunting exercise. Steganography is the technique of hiding data inside a normal message or file, such as text, image, video, etc.

This analysis showcases how we have determined, through our own testing, that malware using Steganography is highly evasive and hard to detect.

Stegomalware is a type of malware that uses Image Steganography to evade detection mechanisms. Over the past 90 days, over 1,800 malware samples were spotted in the wild based on Image Steganography. The figure below shows the count of Month over Month (MoM) distribution of stegomalware.

A few prominent malware families using Steganography are:

• Knotweed
• Web Shells
• Hacking Tools: Mimikatz, Rubeus
• NanoCore RAT
• AgentTesla
• XLoader

We also encountered various instances while monitoring chatter between multiple Threat Actors regarding .JPG+EXE malware, as shown in the figure below. This type of malware is usually created using Image Steganography, where the malicious exe is embedded in the legitimate image file.

Recent Attacks

In the last few weeks of July 2022, researchers reported two attacks where Steganography was used to deliver malware payloads. In the first event, TAs compromised Alibaba OSS Buckets to Distribute Malicious Shell Scripts via Steganography. In the other event, KNOTWEED malware used the JPEG file to hide Corelump malware.

Interestingly, the same technique was used in both incidents to hide the malware payload inside image files. The malicious code was appended after the image content, which ensured that the victim could only access the image without seeing the malicious code.

However, accessing stegomalware will not execute any embedded content. Rather, it will be accessed and executed by other programs.

Generating such malware using Steganography seems easy, but evasive is it?

To determine this, we picked a sample of Agent Tesla, a .NET-based spyware first identified in 2014. The figure below shows the sample with 58/70 detections on VirusTotal.

After appending the executable file to a .JPG file using the following cmd command: “copy /b image_name..JPG + AgentTesla.exe,” we generated a malicious .JPG file, which only had 4/59 detections on VirusTotal, as shown in the figure below.

This is likely why Steganography is still used to execute attacks, as this technique can enable TAs to conveniently generate fully undetectable Malware or Malware with very few detections.

Stegomalware is most commonly used in multistage malware attacks. The appended executable can be easily dropped or loaded directly using custom scripts or tools. Unfortunately, TAs can make this even more evasive by using encrypted or packed malicious content appended in the image.

How .SFX files can be leveraged along with Steganography

Researchers discovered in the past how APT TAs leveraged .SFX files to carry out attacks on ICS/SCADA systems. This attack vector can be executed for other systems as well. The Self-Extracting Archive (.SFX) file is an executable that contains compressed data that will be extracted during execution. Additionally, the compressed files inside. SFX can also be executed; hence, TAs can easily leverage this technique to execute malware. It is a well-known technique used by malware authors to bind malicious code inside an .SFX file.

TAs can easily bind malware with legitimate files using archiving tools such as WinRAR. It also provides an option such as a path to extract files and specify the file name to launch after extraction etc.

We researched multiple use cases on how .SFX files can be leveraged by TAs to be more evasive. The figure below shows the general use case for leveraging .SFX files alongside Steganography.  

To test one of these use cases, we created a malicious .SFX file that drops Agent Tesla malware, shown in Figure 3. The .SFX files extract the content in the %temp% location under a temporary “RarSFX0” folder if the “unpack to temporary folder option” is selected.

After extracting the content, the. SFX archive executes a file that extracts the AgentTesla malware embedded in the .JPG, drops it in the desired location, and eventually executes it. Even encrypted binaries can be embedded and decrypted during run time.

Similarly, the extracted malware can potentially be loaded directly into a legitimate process to leverage more evasion capabilities. Figure 7 shows the detection rate of the malicious .SFX file.

In this experiment, we did not use any encryption techniques and only used an old malware family with a very high detection rate. However, leveraging .SFX files, along with Steganography, lead to a low detection rate.

There is a possibility that the TAs can inject the malicious code directly into a legitimate process without dropping the actual file on the disk, making the malware even more evasive.

Conclusion

Stegomalware has been active in the wild for quite some time; however, TAs are using such threats to execute their attacks since TAs are always looking to find new ways to leverage the old attack techniques.

Such techniques can enable the TAs to evade detection mechanisms. During our research, we found that the detection rate of a well-known malware variant, “Agent Tesla,” dropped drastically after embedding it into an image file.

Considering the sheer number of stegomalware present in the wild, the convenience of generating stegomalware, and its widespread use in recent attacks, it is likely that we will see more malware families adopting this technique. Cyble Research Labs continuously monitors emerging threats and will continue to keep our readers informed.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

• Stay updated with current attack techniques adopted by Threat Actor.
• Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
• Monitor the beacon on the network level to block data exfiltration by malware or TAs.  
• For inspecting suspicious images manually, check the content at the end of the file or unusual file signatures and properties
• Verify the source before downloading any file.
• Keep updating your passwords after certain intervals.
• Refrain from opening untrusted links and email attachments without first verifying their authenticity.   
• Block URLs that could be used to spread the malware, e.g., Torrent/Warez.  
• Enable Data Loss Prevention (DLP) Solutions on employees’ systems.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Execution	T1059   T1204 T1129	Command and Scripting Interpreter User Execution Shared Modules
Defense Evasion	T1027.003 T1140	Obfuscated Files or Information: Steganography Deobfuscate/Decode Files or Information