The Steg Chronicles — In the Beginning
*Note: This article was originally published by the author on November 10, 2019.
This introductory article of The Steg Chronicles is a brand new initiative of mine that I hope to be able to publish on a quarterly basis depending on the amount and frequency of digital steganography news that is published. In recent years, I’ve written extensively about digital steganography (you’ll see me refer to it as “Steg” for short), so I won’t beat around the bush covering what steg is or the history except to say that it has been around longer than any of us have in one form or another. This series is for the advanced knowledge reader and will cover current discoveries of digital steganography being used in the wild. If you need to learn more about the basics of steganography, I suggest you check out some of my other writings on steg which I pasted below.
**Full disclosure upfront, I will never divulge specific techniques for combining steganography and malware because it violates my code of ethics to do so. I’m a white hat ethical hacker and that would be contrary to my beliefs. So, if that’s what you’re after, get to stepping! Chances are I’ll be reading about you soon anyway after you’re caught and sentenced to prison.
Digital Steganography as an Advanced Malware Detection Evasion Technique
A Masters Thesis | © Copyright 2018 | All rights reserved.
The Threat of Digital Steganography-cloaked Malware to U.S. Critical Infrastructure Systems
*Note: This article was originally published by the author on August 31, 2018.
Using Digital Steganography to Protect National Security Information
*Note: This article was originally published by the author on November 26, 2018.
*Note: This article was originally published by the author on December 16, 2018.
*Note: This article was originally published by the author on December 31, 2018.
Steganography Challenge_03.2019: A Lesson on the Dangers of Steg Malware
*Note: This article was originally published by the author on March 23, 2019.
*Note: This article was originally published by the author on March 30, 2019.
ScarCruft APT Malware Uses Image Steganography
*Note: This article was originally published by the author on May 16, 2019.
In the beginning, people desperately needed to develop secretive ways of communicating with each other for all types of reasons. People devised methods for hiding messages within plain sight which is actually a lot easier than one might imagine. This was way before modern digital encryption and end-to-end (E2E) encrypted messaging apps such as WhatsApp, Facebook Messenger, Telegram, or anything modern. Crude methods of steganography involved tattooing or writing with long-lasting ink (e.g., Henna tattoos) areas of the body that hair could be grown to cover a message and then shaved later to reveal the hidden message to an intended recipient.
Fast-forward to the 20th century when man created computers that function on a binary system language that consists of 1’s and 0’s. Steganography has become much more complex as is evidenced by the diagram below. In my writings, I primarily focus on the Technical Steganography methods, but that doesn’t mean other methods aren’t also being used in the wild. The Internet is vast, it’s impossible to track every single action that occurs between billions of users and even greater numbers of devices that connect to the Web. With computer systems, there is an infinite number of possibilities to hide information in plain sight because humans don’t inherently understand binary code and digital memory storage yields nothing readable to a human eye looking directly at a memory device such as a Hard Drive (HD) platter, Solid State Drive (SSD), floppy disk, or CD/DVD disc in the same way that looking inside a suitcase would reveal its contents. The suitcase, of course, acts as the cover medium hiding something secret inside in the same manner digital files can be embedded within another file.
When we think of computer graphics and digital pictures or videos, we as humans don’t think of them in terms of their Red-Green-Blue (RGB) binary code which denotes the color composition of a digital photo or in terms of bits (1’s and 0’s) or bytes, kilobytes, megabytes, etc. The human brain is so incredibly advanced that when the eyes look at something or the ears hear something, it can instantly register sights, sounds even tastes, and smells in microseconds while simultaneously processing them in real-time to make split-second decisions. This central nervous system wiring is crucial to human survival and the sympathetic nervous system helps us to make split-second “flight-or-fight” decisions in life or death situations. When a human looks at an image file, it is impossible for it to notice microscopic variations of pixelation that result from using a technique like Least Significant Bit (LSB) image steganography in which the last bit of the 8-byte bit sequence is changed to embed hidden file(s) because physiologically the human eye is not capable of detecting minuscule image distortion (see below image).
Terrorist groups such as al-Qaeda and ISIS have been known to use steganography to communicate in secrecy. One such example that was discovered involved the arrest of a suspected al-Qaeda member in Germany. Authorities found that the suspect was carrying a memory card in his underwear containing future al-Qaeda operations files, lessons learned, and past operations reports that were embedded within a porn video stored in a password-protected folder (Gallagher, 2012). Terrorist groups have until recently made it a habit to stay off the wires and nets and preferred to use old-school human courier methods of communication to remain undetectable since modern technology like email and cell phones have resulted in senior terrorists being killed or captured.
However, it now appears that there is evidence to suggest that some terrorists are beginning to shift to more modern forms of encrypted communications such as Telegram, WhatsApp, the Dark Web, and digital steganography. Because terrorists have used it in the past, we must, therefore, assume that they are still using it. I get it, that’s a scary thought given how difficult it is to detect and a lot of work to expect cybersecurity analysts to perform. What’s scarier is not scanning for steg and something extremely bad happening. For every case where steg is discovered, it remains unknown how many cases of it went undetected.
Enter the field of steganalysis which is very similar to its cousin, cryptanalysis or code-breaking. Steganography has at times been referred to as the dark cousin of cryptography. “Dark” because not only is it extremely difficult to detect what firewalls, IDS/IPS, and anti-virus software can’t see, but also “dark” because steg has been horribly abused by criminals for all types of illicit purposes such as concealing terrorist communications, concealing nasty malware, and hiding child pornography images and videos. Not all applications of steg are bad though, there are some positive applications of steg in watermarking media, printer microdots, and for those communicating in secret from repressive regime nations. However, most of the steg headlines you’ll read about are negative or somehow evil applications of the technology. I guess evil crime sells more headlines than boring “goody two-shoe” examples of it. There is an excellent write-up by Josh Lake on the differences between steganography and cryptography if you’re interested (pasted below).
Current Applications of Steganography
So, enough of how and why digital steganography works. Let’s turn our focus to what people are using it for today? Let’s perform a quick Google search with the following advanced search parameters: Go to Tools>>Any time>>Custom range…>>Set the search dates for the last 3 months to get a read on what’s transpired in the news headlines with respect to steganography recently. Here we see that there is a recent article about the PLATINUM Advanced Persistent Threat (APT) group (pasted below). APT groups are named by the malware they are credited with having developed and deployed against strategic and often indiscriminate targets.
Platinum APT’s new Titanium backdoor mimics popular PC software to stay hidden | ZDNet
The Platinum advanced persistent threat (APT) cyberattack group has developed a new backdoor with interesting…
The PLATINUM APT group tends to target governments, military organizations, and political entities (Osborne, 2019). I’ve written about this group’s use of digital steganography previously when the same journalist wrote a similar story about this group earlier this year. PLATINUM is quite the sophisticated APT, that is to say, I find their work to be impressive. They’ve used advanced intrusion techniques like file-less malware, hot patching, and let’s not forget about our favorite method, steganography (Osborne, 2019). PLATINUM was creative in their incorporation of steganography to their malware exploit kit, more so than other groups I’ve researched have been. PLATINUM used a rarely seen technique known as Steganographic Nature of Whitespace (SNOW) to embed hidden PowerShell script text at the end of plaintext sentences in whitespace which covertly communicates with the APT group’s command and control (C2) servers (Osborne, 2019). Incredibly clever!
According to Kaspersky security researchers, PLATINUM has now added a new Trojan backdoor to its malware exploit kit dubbed Titanium that imitates common software found on computer systems and which is dropped in the final stages of system infection as a means to return to the crime scene and potentially do further reconnaissance, exfiltration, or destruction (Osborne, 2019).
“When pinging the C2 for commands, the malware will be answered with PNG files containing steganographically hidden data, containing directions for the malicious code” (Osborne, 2019, ZDNet).
Another example of current applications of steganography involves hiding malicious PHP scripts within EXIF headers of JPEG images and then uploading the images to websites, even some that are fully patched against all known vulnerabilities (Seals, 2019). For those who are unacquainted with what EXIF data is, it is basically the metadata that is associated with image files like the date/timestamp the photo was created, sometimes this includes geographic location info, who created it, what device was used, and so forth. This, too, is a clever use of steganography because as Seals states, many websites whitelist image files which allow the malicious PHP scripts hidden inside the image files to bypass firewalls. It is also unlikely that any website AV software will detect the embedded malicious PHP scripts either (2019).
Rare Steganography Hack Can Compromise Fully Patched Websites
Attackers are hiding PHP scripts in EXIF headers of JPEG images to hack websites, just by uploading an image. An…
Sometimes I wonder which group is more creative, cybercriminals or cyber defenders? Then I am reminded that the answer has already been proven thousands of times over. It’s not always the case, but usually, the cybercriminals are more creative because they simply have to be to continue to be successful at what they do. If your livelihood depended on not getting caught and being creative with your malware code, you would adapt as well however you had to. That in no way validates their crimes are anything other than what they are, but it is easy to see why this keeps playing out the way it has. The cybercriminals, often groups of individuals working together for a common cause (i.e., financially or politically-motivated) are very clever and all it takes is for them to find one tiny chink in your system’s armor. Once they do and they get their hooks in, it's downhill from that point.
“Steg” Right Up Into the Spotlight: Introducing <Graphstega>
I know what you’re thinking, “What the hell is Graphstega?” Right? Well, funny that you should ask because it is quite fascinating for the steg geeks out there.
Dr. Abdelrahman Desoky and his colleague Mohamed Younis explain Graphstega as “the art and science of avoiding the arousal of suspicion in covert communications by concealing a message in a graph-cover. Unlike other approaches, Graphstega does not embed a message as a noise in a cover. Instead the message is camouflaged as plotted data. Graphstega is keyless and the hidden message is anti-distortion. The popular usage of graphs in business, education, news, etc. and the availability of [a]tremendous amount of graphs in electronic and non-electronic format make the investigation and detection of a hidden message extremely difficult. In addition, Graphstega is resilient to contemporary attacks, such as traffic analysis, contrast, and comparison attack, even when launched by an adversary who is familiar with Graphstega” (Desoky & Younis, 2008, pp. 27–36).
The next time you see a graph in print somewhere or online, perhaps you will question whether it is really just an ordinary graph or if it contains a hidden message…
Dr. Abdelrahman Desoky is one of the authoritative researchers on steganography and has published numerous articles and books about the subject. If interested, I suggest you read his work. Another heavyweight author/expert in the field of steganography study is Wojciech Mazurczyk who has written extensively on the topic, both have produced top-notch steganography research.
Steganalysis Software Applications
If you’re reading this article and wondering how you can detect steganography, which as mentioned is otherwise known as steganalysis, there are tools that can be used such as Gargoyle that “…will examine a suspect hard drive for remnants of files associated with any of the stego software distributions currently available.” Also, Stegdetect is a free program created by Niels Provos that can detect content hidden in JPEG files using several steganographic techniques such as those found in jsteg, jphide (Unix & Windows), OutGuess v.01.3b, F5 (header analysis only), appendX and Camouflage. StegoHunt is another Wetstone Tech product that can detect hidden content in a wide range of image files using steganographic detection algorithms.
That’s all for now, until the next edition.
Remember, things are not always as they seem.