Jan 9
The Steg Chronicles: Stegware — The Dangerous Combination of Malware & Steganography
*Note: This article was originally published by the author on September 24, 2020.
That which you cannot see can hurt you. You’ve no doubt heard that expression before, but it’s true in more ways than you might realize. A lot of people believe there are invisible evil spirits in this world. Logically, it follows that if you believe in good angels then you must also believe in evil demons. But this expression also rings true for malware that is designed to remain hidden. Invisible malware can definitely hurt you and your organization, especially if you’re stuck working from home during the COVID-19 pandemic. If you access your employers’ systems from your home PC which is infected with malware because you don’t update it with software patches frequently, then you may inadvertently infect your employer’s systems as well.
Dissecting Stegware [steganography + malware]
When most people think about malware they don’t assimilate it with all the different variations that say someone with a background in information security might. The average person doesn’t care what type of malware or virus actually infected their computer or mobile device, they only became aware of it because it impeded their ability to use their device or they were victimized because of it somehow.
They might be surprised to learn that there are actually different components and stages to malware infections that are interesting once dissected. The initial infection could be from a user simply clicking on a malicious link that downloads the malware silently onto their computer from the browser in the background. Or, perhaps the user received a phishing email with an attachment such as a Microsoft Word .doc file that contains malicious macro code that downloads a malware loader.
Loader- also called a dropper (Spring, 2019) has the primary function to download malicious executables also known as ‘payloads’ from an attacker-controlled Command and Control (C&C or C2) server. A loader is a Remote Access Trojan (RAT) backdoor that serves as a hook into a system that is emplaced during the initial stages of the malware infection and which is later used as a staging point for the attacker to conduct further malicious actions. Loaders are generally very small in size (e.g., < 50 KB) to minimize the risk of detection. Malware is sometimes composed of several different sub-components that have different functional roles, names, and authors such as Aurora, Kardon, or Smoke Loader (Mokhov & Mimoso, 2018).
Since loaders are the initial stage of infection, malware developers try to incorporate anti-detection techniques into their code such as anti-sandboxing or by making it fileless by running the malware only in Random-Access Memory (RAM), among other anti-virus software evasion techniques. Once a system is infected it is now for all intents and purposes referred to as a bot. The cybercriminals controlling all of the infected bots, or botnet, are considered botmasters. There is an entire criminal enterprise underground market for malware loaders on the Dark Web, with different access levels for paying clientele.
Once a loader is installed it is kind of like an evil portal in which all types of different malware payloads can be downloaded onto the infected bot (Mokhov & Mimoso, 2018). The Legion loader, for example, comes pre-loaded with crypto wallet theft and browser credential grabbing scanning components that are perpetrated using obfuscated PowerShell scripts as well as Remote Desktop Protocol (RDP) backdoors for persistence (Vigliarolo, 2019). That is the malware loader’s initial hook sequence, Legion then contacts a C&C server to download more exploits that can be far worse.
Payload — the actual malicious exploit that inflicts damage. For instance, with stegware, the steganography component enables a type of covert channel that can be used to communicate and transmit hidden data secretly between the infected host and the malware C&C server.
As I detailed in a Masters thesis I published, malware developers have all but made the incorporation of digital steganography into their malware code a default for the purposes of evading anti-virus detection and for hiding data exfiltration via image steganography or other unique steg-based methods. Steganography combined with malware has come to be known as ‘stegware’ and its increased prevalence is somewhat troublesome because steg is very difficult to detect in the first place despite some anti-virus software product vendors claiming their products can do so.
Throughout the years what has traditionally been witnessed post-discovery is that malware developers incorporated image-based or Least-Significant Bit (LSB) digital steganography into their malware using pictures or thumbnails to conceal the presence of the malware firstly, but then also the machinations of what the malware is designed to do such as extract certain types of information. Image-based steg is if I had to rank it, among the easiest type of steg to incorporate into malware. This is why we in the information security community see it used so often. It was even used in the recent 2018 PyeongChang Olympic Winter Games cyber attack when, “…attackers used the open-source tool Invoke-PSImage…to embed the PowerShell script into (an) image file” according to McAfee researchers (Spring, 2018). However, there have been other shall we say, more creative, applications of stegware that do something else entirely. It’s here where I think some of those techniques are worthy of more than a passing glance in the reading of a news article and warrant further study. These steganographic techniques are not easily achieved when incorporated into other code with completely different purposes.
One such malware specimen is SCARCRUFT which was positively attributed to the North Korean Advanced Persistent Threat (APT)-37 group, otherwise known as TEMP.Reaper or Group 123. However, there is uncertainty as to the possibility that this could also be the North Korean Lazarus APT group (APT 38) as there have been overlaps between these two threat groups (Kaspersky, 2019). ScarCruft is a cyber espionage-focused APT that goes after actionable intelligence information that they can use for political and diplomatic purposes (e.g., think Trump’s alleged pee tape that they could use to blackmail). ScarCruft is unique in that it creatively incorporates a Bluetooth harvesting component specifically designed to capture device data using a Windows Bluetooth API and uses image-based steganography to obfuscate extracted network data.
SCARCRUFT’s go-to Remote Access Trojan (RAT) is a Cloud-based RAT known as ROKRAT (Kaspersky, 2019). This APT group utilizes anti-virus removal techniques, various droppers, injectors, Windows User Account Control (UAC) bypasses, downloaders, installers, and stego images. By studying an APT group’s malware and its victim networks, security researchers can generally determine what they are after and what geographic region or political objectives the group supports. ScarCruft contains a malicious payload that is encrypted and embedded into an image file that has to be decrypted (Kaspersky, 2019). If you study the stego image names pictured below, each one of those images represents a considerable amount of work that this APT group went to ensure the success of their malware being able to infect systems. If you were to open these images, several are named “girl” or some derivation, one can imagine what type of attractive images you might find.
Even today as I researched and wrote this article, very few anti-virus products detect these stego image file URLs as malicious in nature as evidenced below. In fact, only 3 out of 77 anti-virus engines detect the SCARCRUFT stego image file URL listed in the snapshot below from Virus Total. That tells me that this malware is still not widely known and protected against by anti-virus vendors, some of which claim to be able to detect and prevent steganography altogether. Well, let me tell you it doesn’t take a genius to figure out that your AV software is not going to detect this particular stego image if the AV software doesn’t even recognize the URL as malicious despite it having been published in a Kaspersky report for nearly a year already.
How about another stego image? Ok, ok. “hooters” and “bottom” in the same filename? This one must be good, right? <http://www.rhooters[.]com/bbs/data/m_photo/bottom.jpg>
Oh, would you look at that? Only 2 AV engines even detected the URL as malicious. The link could be damaged or taken down, but it is doubtful because why would 70 other search engines (in this instance) determine it is a “Clean” link? Do you see how tricky this stuff can be now? These guys don’t play around, they aren’t going to make your job easy. There’s a lot at stake for them to succeed in whatever objectives they are trying to achieve with this sophisticated stegware. SCARCRUFT is just one of many examples I could cite.
Steganography Application Showcase
It is safe to estimate that approximately 85% of all steganography applications are image-based (LSB) apps for hiding data inside various types of image files. Some run on Windows, but they are mostly Linux applications. If you’re a little rusty or new to Linux, no worries. You can find some steg apps specifically Windows here:
Let’s take a look at the DeepSound steg app which hides data inside of audio .wav files became popular with the “Mr. Robot” USA TV network show. You know what, forget that. I feel like that’s been done too many times before. If you want to see how that works then go look at Null Byte’s article. Blah, blah! Moving on. Let’s look at something nobody else has ever showcased!
Let’s check out a steg app called JHide instead. As the download link will affirm, JHide is another Java-based steg app that allows for embedding secret files into BMP, PNG, TIF, and TIFF image file formats.
Password= Password123456 (a terrible choice of passwords, I might add. I choose it for instructional purposes only).
The stego embedding process was very simple to do. Go ahead, if you want, and install the JHide steg app on your computer and then run it. Download the file on the right and select “Unhide,” you will be prompted for a password. Enter the password I mentioned above. You should then be able to access the hidden file. Send me a tweet z3roTrust with what the secret message says. Medium may strip out the stego file, so this will be an experiment of sorts to see if it works. I ran a similar test for my Master's thesis paper with Twitter, Facebook, and YouTube.
20th Century Steganography Throwback
Those who fail to study history are doomed to repeat it. In that vein, let’s take a brief look back at micro dotting. It was used by the Germans in WWI and WWII as a primitive form of non-digital steganography.
A real-world instance where microdots were used in an investigation occurred when Reality Leigh Winner faxed a classified document from the NSA regarding Russian intelligence meddling in the 2016 U.S. Presidential Election to The Intercept. There is speculation that it was microdots that led FBI investigators to track her down, but the Feds stopped short of outright admitting it because they like to keep their sources and methods confidential for future investigations and so our adversaries don’t discover techniques and try to use them against us.
Additional Resources
References:
Kaspersky GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved from https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/
Mokhov, N.; Mimoso, M. (2018, July 26). Malware Loaders Continue to Evolve, Proliferate. Retrieved from https://www.flashpoint-intel.com/blog/malware-loaders-continue-to-evolve-proliferate/
Spring, T. (2018, April 19). Use of ‘StegWare’ Increases in Stealth Malware Attacks. Retrieved from https://threatpost.com/use-of-stegware-increases-in-stealth-malware-attacks/131293/
Spring, T. (2019, July 23). Malware-Loader ‘Brushaloader’ Grows More Menacing. Retrieved from https://threatpost.com/malware-brushaloader-more-menacing/146631/
Vigliarolo, B. (2019, December 19). New malware dropper is a “hornet’s nest” of dangerous software. Retrieved from https://www.techrepublic.com/article/new-malware-dropper-is-a-hornets-nest-of-dangerous-software/
