Attackers Embracing Steganography to Hide Communication

Empowered by examples did on a bigger scale as of late, analysts accept computerized steganography has touched base as a real technique for assailants to utilize with regards to clouding correspondence in the middle of summon and control servers.

In a presentation a week ago at Black Hat Europe analysts with Crowdstrike and Dell SecureWorks refered to a modest bunch of crusades that rely on upon steganography that have thrived recently.

Steganography, or the art of hiding information inside media, isn’t a particularly new concept, but the researchers claim that malware programmers and operators appear taken with the technique as of late.

Pierre-Marc Bureau, a senior security researcher at Dell SecureWorks and Dr. Christian Dietrich, a senior researcher with Crowdstrike, say one of the most recent examples can be found in an instance of “Foreign,” a DDoS tool the two looked at recently which relies on messages hidden in HTTP error messages. The tool parses the page, which appears to be a generic 404 page at first glance, but actually contains a C2 command, hidden from the human eye.

The command – encoded using Base64 and stored between HTML comment tags – prompts the bot to download a file from a given URL.

The tool is the latest entry to a growing field of malware that excels at communicating via a stealthy C2 channel.

Again, Bureau and Dietrich insist the technique as a whole isn’t new, but that the method has grown more sophisticated lately. The two also discussed how three malware families – Lurk, Gozi, and Stegoloader – have also leveraged the technique over the past several years.

Lurk, malware that downloads click fraud malware, was spotted in 2014 hiding the URL where it grabs content from in a .BMP image. Gozi, known for perpetrating bank fraud, began using steganography at the beginning of this year “as a backup mechanism to retrieve URLs where it could download its configuration file.” The malware encrypts information in a favicon.ico file hosted on TOR.

Scientists with SecureWorks initially depicted the Stegoloader malware, which works in a comparative manner to Lurk, prior this year. The malware depends on an arrangement module that snatches a PNG document that contains malware. Once dropped, the malware is for the most part used to take framework data yet can likewise be utilized to stack extra modules that get to reports, rundown introduced projects, take program history, and drop more malware that takes passwords, Pony.