Steganography: While the researchers of Kaspersky Lab analyzed multiple digital espionage and cybercriminal campaigns, they identified a new, disturbing trend: malicious hackers are increasingly using the tactic of sealing (Steganography) – a digital version of an ancient technique of hiding messages in images – aimed at hiding the traces of their malicious activity in a computer that has been attacked.
A number of malware software aimed at digital espionage and many examples of malware created to steal financial information have recently been identified to use this technique.
As found in a typical targeted digital attack, a threat actor – once inside the network under attack – would gain access and then gather valuable information to later transfer to the command and control server. In most cases, proven solutions security or professional security analytics are able to detect the presence of the threat actor in the network at every stage of an attack, including the exfiltration stage.
This is due to the fact that the part of the rendering usually leaves traces, for example, connections to an unknown IP address or a blacklist IP. However, when it comes to attacks that sealing is used (Steganography), detection of data unfolding becomes a really difficult task.
In this scenario, malicious users enter information that needs to be stolen right into the code of an insignificant visual image or video file that is then sent to C&C. Therefore, it is unlikely that such an event could trigger security alarms or technology. data protection. This is because after modification by the intruder, the image itself will not change visually and its size and most other parameters will also not change and therefore do not cause concern. This makes sealing a lucrative technique for malicious carriers when it comes to choosing how to remove data from an attacked network.
In recent months, Kaspersky Lab researchers have attended at least three digital espionage companies who have used this technique.
More worryingly, the technique is also actively adopted by regular digital criminals, not just by digital espionage.
Kaspersky Lab researchers have seen that they are used in upgraded versions of Trojan, including Zerp, ZeusVM, Kins, Triton and others. Most of these malware families are generally targeted at financial institutions and users of financial services.
The latter could be a sign of the impending mass adoption of the technique by malware creators and - as a result - the generally increasing complexity of malware detection.
"Although this is not the first time we see a malicious technique originally used by advanced threatening players to be in the dangerous landscape of malware, the case of waterproofing is particularly important. So far, the security industry has not found a way to reliably detect the data unfolding in this way.
The images that attackers use as tool transport for stolen information is very large, and although there are some algorithms that could automatically detect the technique, implementing them on a massive scale would require tons of computing power and be cost prohibitive.”
“On the other hand, it is relatively easy to detect an image 'loaded' with stolen sensitives data with the help of manual analysis. However, this method has limitations, as the security analyst could only analyze a very limited number of images per day. Perhaps the answer is a mix of the two. At Kaspersky Lab, we use a combination of automated analysis and human intelligence technologies to identify and detect such attacks. However, there is room for improvement in this area and the goal of our research is to draw industry attention to the problem and force the development of reliable yet affordable technologies, enabling the identification of steganography in malware attacks," he said. Alexey Shulmin, security researcher at Kaspersky Lab.
For more information on Steganography types used by malicious players and possible detection methods, you can read blogpost to the specialist site Securelist.com.
