Steganography: While Kaspersky Lab researchers have analyzed multiple digital espionage campaigns and digital criminals, they have identified a new, worrying trend: malicious hackers increasingly use their tactics sealing (Steganography) – digital version of an ancient techniqueς απόκρυψης μηνυμάτων μέσα σε εικόνες – με στόχο την απόκρυψη των ιχνών της κακόβουλης δραστηριότητας τους σε έναν computer that has been attacked.
Ένας αριθμός λειτουργιών κακόβουλου λογισμικού που στοχεύουν στην ψηφιακή κατασκοπεία και πολλά παραδείγματα κακόβουλου λογισμικού που δημιουργήθηκαν για να κλέψουν οικονομικές πληροφορίες έχουν recently found to utilize this technique.
As found in a typical targeted digital attack, a threat carrier - when inside the attacking network - would gain access and then collect valuable information for later transfer to the command and control server. In most cases, proven security solutions or professional security analyzes are able to detect the presence of the threat carrier on the network at every stage of an attack, including the stage of infiltration.
This is due to the fact that the part of the rendering usually leaves traces, for example, connections to an unknown IP address or a blacklist IP. However, when it comes to attacks that sealing is used (Steganography), detection of data unfolding becomes a really difficult task.
In this scenario, malicious users insert the information to be stolen right into the code of a trivial view image ή αρχείου video which are then sent to C & C. It is therefore unlikely that such an event could trigger security alarms or data protection technology. This is because after being modified by the attacker, the image itself will not change visually and its size and most other parameters will also not change and thus are not a cause for concern. This makes steganography a lucrative technique for malicious actors when it comes to choosing how to exfiltrate data from an attacked network.
In recent months, Kaspersky Lab researchers have attended at least three digital espionage companies who have used this technique.
More worryingly, the technique is also actively adopted by regular digital criminals, not just by digital espionage.
Kaspersky Lab researchers have seen that they are used in upgraded versions of Trojan, including Zerp, ZeusVM, Kins, Triton and others. Most of these malware families are generally targeted at financial institutions and users of financial services.
The latter could be a sign of the impending mass adoption of the technique by malware creators and - as a result - the generally increasing complexity of malware detection.
"Although this is not the first time we see a malicious technique originally used by advanced threatening players to be in the dangerous landscape of malware, the case of waterproofing is particularly important. So far, the security industry has not found a way to reliably detect the data unfolding in this way.
The images used by attackers as a transport tool for stolen information are very large, and although there are some algorithms that could automatically detect the technique, mass-scale implementation would require tons of computational power and cost would be prohibitive. "
"On the other hand, it is relatively easy to detect an image 'loaded' with stolen sensitive data with the help of manual analysis. However, this method has limitations, as the security analyzer could only analyze a very limited number of images per day. Maybe the answer is a mix of the two. At Kaspersky Lab, we use a combination of technologies for automated analysis and the human mind to detect and detect such attacks. "However, there is room for improvement in this area and the aim of our research is to draw industry attention to the problem and enforce the development of reliable but affordable technologies, allowing the detection of Steganography in malware attacks," he said. Alexey Shulmin, security researcher at Kaspersky Lab.
For more information on Steganography types used by malicious players and possible detection methods, you can read blogpost to the specialist site Securelist.com.