For many years now, stegware has existed as a rare form of threat for delivering malware. But with time, it seems to be gaining popularity, and researchers have pointed to an uptick in its malicious use.
What is stegware?
Short for steganography, stegware refers to the practice of hiding malicious code in seemingly innocuous files to get past security tools. Such files can be images or videos, most of which rarely go through the standard security analysis processes. They can even be audio files or text in a hexadecimal format.
Interestingly, it is by no means a new discipline as its early uses date back to 440BC. At that time, a Greek rule communicated a warning message to allies by shaving it onto the head of a slave.
While that might have been a noble use, criminals have taken over the art so to speak and are now using it to push their own agendas.
Rise to fame of the stegware
The OceanLotus group was earlier this year spotted making use of .png files to hide backdoor loaders Remy and Denes. Social media is also being used successfully as a control and command for such malware. In this case, images and tweets are used to send commands, which then activate the malicious code on a target device.
Another recent stegware attack involved the exfiltration of data. A Chinese American engineer reportedly stole business secrets from General Electric, his employer. He hid the said data in the form of binary code in the image of a sunset and sent it to his email account.
According to the Ponemon Institute, these file-less attacks constituted 35% of all cybersecurity attacks in 2018.
Fighting an invisible enemy
As mentioned above, standard security measures are unable to detect stegware, hence the rising popularity. In most cases, they can hardly read the data in video and image files and will, therefore not be able to detect mischief. At other times, attackers hide their intentions by using double extensions. For example, a file labeled accountlist.exe.png will likely bypass firewalls that only read the .png part and let an executable file pass unnoticed only to wreak havoc.
What’s the key to defeating this ‘invisible’ enemy or should we resign to fate and let anarchy and chaos take over, one stegware attack at a time? Let us consider a number of winning strategies:
● Installing multiple security layers
If your defense system is to have any chance of success, it must assume that the enemy will make it past the drawbridge and into the castle. With that mindset, you would, therefore, mount additional lines of defense within the castle to deal with this eventuality.
In a real-world application, this would entail not only having a firewall in place but also having an active patrol on duty at all times. Having privileged monitoring of accounts, devices and applications is a great way to detect unusual behavior within the castle walls.
● Encrypted traffic analysis
Another layer of defence involves implementing encrypted traffic analysis. What makes this invaluable is that at times criminals will make use of encryption channels to disguise themselves.
They seek to tunnel within the approved business traffic and make their way in without so much as a “hello.” Analyzing encrypted traffic thoroughly would eliminate this easy gateway and further secure the fortress.
● Keeping social media in its place, outside the corporate fortress
As noted, social media is another common platform that attackers use to perpetrate the fileless menace. Criminals have been known to use Twitter as a C2, sending instructions using malicious images.
They will compose a tweet, including the image and a specific hashtag and then send it. As they wait, malware on an infected device trolls Twitter for tweets with that hashtag. As soon as the tweet arrives, the malware extracts the image, decodes the steganography and executes according to plan.
Nothing will make this traffic appear suspicious. The best solution would be to keep social media and the corporate network separate. You could for instance employ browser sandboxing, allowing a user to access their social media account without having to expose the network to danger.
● Removing redundant data from business content
Though the sandboxing approach is failproof, it simply reduces the scope attackers have over your business network. But they still have lots of gateways in the form of tons of business content that you have to exchange with partners and affiliates.
Another effective approach would be to remove redundant information from any content passing through the network, either on its way in or out. For instance, you could remove any data that is unused or smooth out subtle colour disparities between pixels.
Not only will this block all data but it will also create new safe data that you can use in the delivery of business content.
● Ensuring endpoint protection
A crucial aspect of security is the use of endpoint detection and response solutions. These look for unexpected threats at the least likely places. We have learned that sooner or later the hidden threats in stegware will execute and reveal their true intentions.
Such security systems wait for that precise moment to make their move. While the antivirus is busy staving off attacks from the outside, they keep guard on the inside and throw any suspicious entities out.
With this comprehensive spectrum of detection and response, you stand a higher chance at cleaning out the system in and out.
Looking beyond the obvious
The best defence against stegware lies in assuming that the attackers have one way or another made it past your high walls and are now in the dark corridors. They know very well that most businesses rarely look within and they walk with a confident gait.
By assuming the worst, you might actually have a shot at silencing the invisible enemy and taking back control over your fortress. Don’t expend your energy trying to detect stegware threats. Instead, make a sure move by removing perceived and potential threats.
Remember, it is highly unlikely that you will see the threat coming because of its ultimate stealth. But you can still fight the shadows and emerge victoriously.
