As found in a typical targeted cyberattack, a threat actor - once inside the attacked network - would establish a foothold and then collect valuable information to subsequently transfer to the command and control server. In most cases, proven security solutions or professional security analytics are able to identify the presence of the threat actor in the network at each stage of an attack, including the exfiltration stage. This is because the exfiltration part usually leaves tracks, for example logged connections to an unknown or blacklisted IP address. However, when it comes to attacks where steganography is used, the detection of data exfiltration becomes a difficult task.
In this scenario, malicious users insert the information to be stolen right inside the code of a trivial visual image or video file which is then sent to the C&C. It is therefore unlikely that such an event would trigger any security alarms or data protection technology. This is because after modification by the attacker, the image itself would not be changed visually and its size and most other parameters would also not be altered, therefore not raising any cause for concern. This makes steganography a lucrative technique for malicious actors when it comes to choosing the way to exfiltrate data from an attacked network.
In recent months, Kaspersky Lab researchers have witnessed at least three cyberespionage operations utilising this technique. More worryingly, the technique is also being actively adopted by regular cybercriminals – in addition to cyberespionage actors. Kaspersky Lab researchers have seen it used in updated version of Trojans including, Zerp, ZeusVM, Kins, Triton and others. Most of these malware families are generally targeting financial organisations and users of financial services. The latter could be a sign of the upcoming mass adoption of the technique by malware authors and – as an outcome – generally increased complexity of malware detection.
“Although this is not the first time we have witnessed a malicious technique, originally used by sophisticated threat actors, find its way onto the mainstream malware landscape, the steganography case is especially important. So far, the security industry hasn’t found a way to reliably detect the data exfiltration conducted in this way. The images used by attackers as a transportation tool for stolen information are very large, and even though there are some algorithms which could automatically detect the technique, their mass-scale implementation would require tons of computing power and would be cost prohibitive.
“On the other hand, it is relatively easy to identify an image “loaded” with stolen sensitive data with the help of manual analysis. However, this method has limitations, as a security analyst would only be able to analyse a very limited number of images per day. Perhaps, the answer is a mixture of the two. At Kaspersky Lab, we use a combination of technologies for automated analysis and human intellect in order to identify and detect such attacks. However there is room for improvement in this area, and the goal of our investigations is to draw industry attention to the problem and enforce the development of reliable yet affordable technologies, allowing the identification of steganography in malware attacks”, said Alexey Shulmin, security researcher at Kaspersky Lab.