Obfuscated Files or Information: Steganography

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

Duqu was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.[1]

By the end of 2017, a threat group used Invoke-PSImage to hide PowerShell commands in an image file (.png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.[2]

ID: T1027.003
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
CAPEC ID: CAPEC-636
Version: 1.2
Created: 05 February 2020
Last Modified: 15 October 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
S0469 ABK

ABK can extract a malicious Portable Executable (PE) from a photo.[3]

G0138 Andariel

Andariel has hidden malicious executables within PNG files.[4][5]

G0067 APT37

APT37 uses steganography to send images to users that are embedded with shellcode.[6][7]

S0473 Avenger

Avenger can extract backdoor malware from downloaded images.[3]

S0234 Bandook

Bandook has used .PNG images within a zip file to build the executable. [8]

S0470 BBK

BBK can extract a malicious Portable Executable (PE) from a photo.[3]

G0060 BRONZE BUTLER

BRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads.[3]

S0471 build_downer

build_downer can extract malware from a downloaded JPEG.[3]

S0483 IcedID

IcedID has embedded binaries within RC4 encrypted .png files.[9]

G0065 Leviathan

Leviathan has used steganography to hide stolen data inside other files stored on Github.[10]

S0513 LiteDuke

LiteDuke has used image files to hide its loader component.[11]

G0069 MuddyWater

MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.[12]

S0644 ObliqueRAT

ObliqueRAT can hide its payload in BMP images hosted on compromised websites.[13]

S0439 Okrum

Okrum's payload is encrypted and embedded within its loader, or within a legitimate PNG file.[14]

S0518 PolyglotDuke

PolyglotDuke can use steganography to hide C2 information in images.[11]

S0139 PowerDuke

PowerDuke uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA).[15]

S0654 ProLock

ProLock can use .jpg and .bmp files to store its payload.[16]

S0565 Raindrop

Raindrop used steganography to locate the start of its encoded payload within legitimate 7-Zip code.[17]

S0458 Ramsay

Ramsay has PE data embedded within JPEG files contained within Word documents.[18]

S0495 RDAT

RDAT can also embed data within a BMP image prior to exfiltration.[19]

S0511 RegDuke

RegDuke can hide data in images, including use of the Least Significant Bit (LSB).[11]

G0127 TA551

TA551 has hidden encoded data for malware DLLs in a PNG.[20]

G0081 Tropic Trooper

Tropic Trooper has used JPG files with encrypted payloads to mask their backdoor routines and evade detection.[21]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component
DS0022 File File Metadata

Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings or other signatures left in system artifacts related to decoding steganography.

References