Here's How Hackers Are Using Steganography in Cyber Attacks

You've all heard the advice that you should never open email attachments unless you know where they're coming from, and we won't be surprised if some of you find it a bit strange. After all, you know that in order to get your computer compromised, some code must be executed, and you know that code is executed by executable files. In light of this, you might think that a humble JPG file, for example, can do you no harm. You'd be wrong.

What is steganography?

The term steganography comes from the Greek words for "conceal" and "writing," and it literally means hiding information in non-secret data. When it comes to cybersecurity, steganography refers to the act of embedding malicious code into seemingly benign files.

Hackers can embed malware in just about any type of file you care to imagine, including images and videos. With that, they are not only more likely to fool the victim, but they're also in with a better shot of evading any security products that might be installed on the computer.

It's not a new technique. In fact, in 2017, experts coined the term "stegware" as a collective for cyberattacks using malicious code embedded in images and other media files, but it's safe to say that as clever and as effective as it is, steganography is not something the hackers use particularly often. This is mainly because hiding malicious code in benign-looking files is not easy and requires a level of sophistication that most cybercriminals simply don't possess.

Steganography in real-world attacks

That being said, steganography isn't just a theory. Over the years, there have been a few attacks that have employed the technique, and the latest one was spotted last month by researchers from Kaspersky.

The campaign is targeting industrial enterprises in the UK, Germany, Japan, and Italy, and ultimately, it distributes a tool called Mimikatz, which steals Windows login credentials. Most likely, the goal is to use the pilfered information to move laterally within the compromised network and cause more damage. Before they can do that, however, the crooks need to smuggle Mimikatz on the system, and they do that using steganography.

The attack starts with a carefully crafted email and an Excel file attached to it. The experts pointed out that the messages are customized for each target, which goes to show that the attackers aren't interested in hitting random people or organizations.

The opened Excel file asks the victim to click the "Enable Content" button, and if the user complies, the malicious spreadsheet runs the embedded macro instructions, which, in turn, open a hidden PowerShell window and load a script.

The malware then downloads an innocent-looking PNG file from an image-sharing website like Imgur or ImgBox. There's nothing about the image that could raise suspicion, and because it's downloaded from a completely legitimate resource, it's unlikely to trigger any security alerts.

In reality, however, the image file contains a second PowerShell script that is Base64-encoded and encrypted. The malware extracts the script from the PNG file, decrypts and decodes it, and runs it in a second PowerShell window. Its purpose is to download and install the Mimikatz stealer.

It's not yet clear who sits behind the attack described by Kaspersky, but it's obvious that whoever they are, they know what they're doing. We can only hope that few cybercriminals are as clever and sophisticated as these hackers are.