What is Steganography?
Steganography is the “practice of hiding a secret message inside of (or even on top of) something that is not secret”, for example a lot of steganography involves inserting a secret piece of text, malware, or code inside of a picture (comptia).
You could even hide a script inside of a Word document. Hackers are constantly searching for new ways to prevent them from being caught. There are different kinds of steganography including text, images, audio/video, and protocol. However, in this article, I will focus specifically on image steganography and how hackers can hide malware in images.
What is Image Steganography?
Image steganography refers to the “practice of hiding code within an innocent-looking image” (votiro). Hackers have grown to use this method more frequently as many Cybersecurity experts have overlooked image steganography. According to Votiro, in 2017, security researchers reported a 600% increase in image steganography attacks.
Images are the most common method for hackers when it comes to steganography and the hackers can decide on which image format (i.e. .jpg) they want to conceal their malware in.
How can Hackers Hide Malware in Images?
It is not difficult for hackers to hide malware in images. For example, “a standard JPEG photo contains several megabytes of pixel data, allowing an attacker to alter several of the pixels to embed malicious code” (votiro). The color value “differences between altered and unaltered pixels are subtle enough that human eyesight cannot detect them” (votiro). Take a look at the example, below.
Image steganography may be used to hide a payload within the piece of code itself or the code may call other executables for an attack.
One simple way for hackers to hide texts in an image file is to append a string of text to the end of a file. Doing this does not change how the image will be displayed or its visual appearance. The image will not be distorted; the plain text string appended to the end of the image file can be easily read by a program.
Image Steganography Detection
The image steganography method makes such small modifications within an image that makes it difficult for anti-malware tools to detect. According to McAfee, “Steganography in cyber attacks is easy to implement and enormously tough to detect”, which is why hackers prefer to hide malware in images. Security researchers from Kaspersky Lab have also agreed with McAfee stating that most modern anti-malware solutions provide little, if any, protection from steganography. The following are indicators of image steganography:
- Slight color differences between two images
- Large amount of duplicate colors within an image may be an indicator
- If the suspicious image is larger than the original image, then the size difference may be due to hidden information
One reason why image steganography, or steganography attacks in general are difficult to detect is, because they first appear as zero day threats making detection difficult for antiviruses as no patch has been developed yet.
Image Steganography Example
The malware, LokiBot, “employs Trojan malware to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials” (CISA). LokiBot uses steganography to hide malware in images and an executable file. The malware “installs itself as two files: .jpg file and a .exe file; the .jpg file opens, unlocking data that LokiBot needs when implemented” (votiro).
Protect Against Image Steganography
As mentioned earlier in the article, it is extremely difficult to detect image steganography therefore the best way to protect against it is to take appropriate security precautions. McAfee recommends the following steps organizations should follow in order to protect against image steganography:
- Pay close attention to each image - with the help of image editing software you can look for indicators of steganography by the slight color differences in images
- Segment the network
- Configure anti-malware to detect binders (a tool used to combine to files into one)
- Install applications with trusted signatures
- Monitor outgoing traffic
- Control the use of steganography software
SentinelOne has suggested that organizations use “behavioral AI software to detect the execution of malicious code, regardless of whether it originates from an image or other file, or even if it is fileless malware” (SentinelOne).
Steganography is a technique that hackers will continue to use to conceal their malware because of how difficult it is to detect. Image steganography will definitely be used by hackers to hide malware in images because there is no way to tell if the image contains malware or not without further investigation. Although an image appears to be innocent, it may be embedded with malicious code that may be further executed by calling another process, for example. Organizations must take all necessary security precautions when it comes to Steganography. Since it is a popular technique, organizations should be aware of the appropriate tools needed to detect steganography.