Obfuscated Files or Information: Steganography
Other sub-techniques of Obfuscated Files or Information (5)
ID | Name |
---|---|
T1027.001 | Binary Padding |
T1027.002 | Software Packing |
T1027.003 | Steganography |
T1027.004 | Compile After Delivery |
T1027.005 | Indicator Removal from Tools |
Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.
Duqu was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.[1]
By the end of 2017, a threat group used Invoke-PSImage
to hide PowerShell commands in an image file (.png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.[2]
Procedure Examples
Name | Description |
---|---|
ABK |
ABK can extract a malicious Portable Executable (PE) from a photo.[3] |
APT37 |
APT37 uses steganography to send images to users that are embedded with shellcode.[4][5] |
Avenger |
Avenger can extract backdoor malware from downloaded images.[3] |
BBK |
BBK can extract a malicious Portable Executable (PE) from a photo.[3] |
BRONZE BUTLER |
BRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads.[3] |
build_downer |
build_downer can extract malware from a downloaded JPEG.[3] |
IcedID |
IcedID has embedded binaries within RC4 encrypted .png files.[6] |
MuddyWater |
MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.[7] |
Okrum |
Okrum's payload is encrypted and embedded within its loader, or within a legitimate PNG file.[8] |
PolyglotDuke |
PolyglotDuke can use steganography to hide C2 information in images.[9] |
PowerDuke |
PowerDuke uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA).[10] |
Raindrop |
Raindrop used steganography to locate the start of its encoded payload within legitimate 7-Zip code.[11] |
RDAT |
RDAT can also embed data within a BMP image prior to exfiltration.[12] |
RegDuke |
RegDuke can hide data in images, including use of the Least Significant Bit (LSB).[9] |
Tropic Trooper |
Tropic Trooper has used JPG files with encrypted payloads to mask their backdoor routines and evade detection.[13] |
Mitigations
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Detection
Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings are other signatures left in system artifacts related to decoding steganography.
References
- Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018.
- Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018.
- Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
- Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
- GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
- Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
- ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
- Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
- Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
- Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
- Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.