Steganography: While the researchers of Kaspersky Lab analyzed multiple digital espionage and cybercriminal campaigns, they identified a new, disturbing trend: malicious hackers are increasingly using the tactic of sealing (Steganography) – digital version of an ancient techniqueof hiding messages in pictures – with the aim of hiding the traces of their malicious activity on a computer that has been attacked.
A number of malware software aimed at digital espionage and many examples of malware created to steal financial information have recently been identified to use this technique.
As found in a typical targeted digital attack, a threat actor – once inside the network under attack – would gain access and then gather valuable information to later transfer to the command and control server. In most cases, proven solutions better safetys or professional security analytics are able to detect the presence of the threat actor in the network at every stage of an attack, including the exfiltration stage.
This is due to the fact that the part of the rendering usually leaves traces, for example, connections to an unknown IP address or a blacklist IP. However, when it comes to attacks that sealing is used (Steganography), detection of data unfolding becomes a really difficult task.
In this scenario, malicious users insert the information to be stolen right into the code of a trivial visual image or video file that is then sent to C & C. Therefore, it is unlikely that such an event could trigger security alerts or technology data protection. This is because after being modified by the attacker, the image itself will not change visually and its size and most other parameters will also not change and thus are not a cause for concern. This makes steganography a lucrative technique for malicious actors when it comes to choosing how to exfiltrate data from an attacked network.
In recent months, Kaspersky Lab researchers have attended at least three digital espionage companies who have used this technique.
More worryingly, the technique is also actively adopted by regular digital criminals, not just by digital espionage.
Kaspersky Lab researchers have seen that they are used in upgraded versions of Trojan, including Zerp, ZeusVM, Kins, Triton and others. Most of these malware families are generally targeted at financial institutions and users of financial services.
The latter could be a sign of the impending mass adoption of the technique by malware creators and - as a result - the generally increasing complexity of malware detection.
"Although this is not the first time we see a malicious technique originally used by advanced threatening players to be in the dangerous landscape of malware, the case of waterproofing is particularly important. So far, the security industry has not found a way to reliably detect the data unfolding in this way.
The images used by attackers as a transport tool for stolen information are very large, and although there are some algorithms that could automatically detect the technique, mass-scale implementation would require tons of computational power and cost would be prohibitive. "
"On the other hand, it is relatively easy to detect an image 'loaded' with stolen sensitive data with the help of manual analysis. However, this method has limitations, as the security analyzer could only analyze a very limited number of images per day. Maybe the answer is a mix of the two. At Kaspersky Lab, we use a combination of technologies for automated analysis and the human mind to detect and detect such attacks. "However, there is room for improvement in this area and the aim of our research is to draw industry attention to the problem and enforce the development of reliable but affordable technologies, allowing the detection of Steganography in malware attacks," he said. Alexey Shulmin, security researcher at Kaspersky Lab.
For more information on Steganography types used by malicious players and possible detection methods, you can read blogpost to the specialist site Securelist.com.