Experts Warn Of Rise In ‘Steganography’ Attacks Using Code Hidden In Dodgy Images

Security researchers are warning of a possible rise in cyberattacks that use hidden code in images to steal sensitive data, including financial information.

Steganography techniques have been developed over the past few decades and are difficult to detect because the image isn’t changed visually and because virtually all other characteristics such as file size remain the same.

What’s more, such attacks are able to disguise evidence of malicious activity, such as uploads and downloads.

Steganography attacks

This has made Steganography a popular tool for cyberespionage. However Kaspersky Labs say cybercriminals are now adopting these methods for targeted assaults, particularly on financial institutions and their customers.

Researchers say they have noted three such campaigns in recent times and a number of updated Trojans including Zerp, Kins, Triton and ZeusVM.

“Although this is not the first time we have witnessed a malicious technique, originally used by sophisticated threat actors, find its way onto the mainstream malware landscape, the steganography case is especially important,” explained Alexey Shulmin, one of the researchers.

“So far, the security industry hasn’t found a way to reliably detect the data exfiltration conducted in this way. The images used by attackers as a transportation tool for stolen information are very large, and even though there are some algorithms which could automatically detect the technique, their mass-scale implementation would require tons of computing power and would be cost prohibitive.”

Experts have developed a number of detection methods, but these have proved difficult to automate. Manual methods include a visual attack, which makes finding a malicious image easy to the naked eye, but other methods have relied on statistical analysis and have their limitations.

The cost of these algorithms is also high, meaning many tools offer little if any protection. However Kaspersky says some effective tools do exist and includes many in its Anti-Targeted Attack (KATA) product.

It says that if Steganographic attacks do become more prevalent, then the weapons to combat them will become more complex and widespread.

“On the other hand, it is relatively easy to identify an image ‘loaded’ with stolen sensitive data with the help of manual analysis,” added Shulmin. “However, this method has limitations, as a security analyst would only be able to analyse a very limited number of images per day.

“Perhaps, the answer is a mixture of the two. At Kaspersky Lab, we use a combination of technologies for automated analysis and human intellect in order to identify and detect such attacks. However there is room for improvement in this area, and the goal of our investigations is to draw industry attention to the problem and enforce the development of reliable yet affordable technologies, allowing the identification of steganography in malware attacks”

Quiz: What do you know about cyber security in 2017?