Steganography

Information

• Name: Steganography

• ID: T1001.002

• Tactics: TA0011

• Technique: T1001

Introduction

Steganography [T1001.002] is a sub-technique within MITRE ATT&CK's Data Obfuscation technique (T1001), which involves hiding data or malicious payloads within benign files or protocols to evade detection. Attackers leverage steganography to embed sensitive data or malicious code within images, audio files, video files, or network packets, making detection difficult through standard security monitoring tools. The primary goal of steganography is to conceal the existence of communication or data exfiltration rather than just encrypting or obfuscating the data itself.

Deep Dive Into Technique

Steganography involves embedding hidden information within seemingly innocuous files or data streams. Attackers commonly use the following methods and mechanisms:

• Image-based Steganography:

  • Least Significant Bit (LSB) manipulation: Embedding data by modifying the least significant bits of pixel values in images.

  • Metadata embedding: Inserting malicious payloads into metadata fields (EXIF data) of image files.

  • Palette manipulation: Altering color palettes in images to encode hidden information.

• Audio and Video Steganography:

  • Audio files (WAV, MP3): Embedding information in audio streams by modifying audio frequency, amplitude, or silence intervals.

  • Video files (MP4, AVI): Embedding data within video frames, metadata, or subtitle streams.

• Network Protocol Steganography:

  • DNS tunneling: Embedding data within DNS queries or responses.

  • HTTP headers: Concealing data within HTTP header fields or user-agent strings.

  • TCP/IP headers: Encoding data within unused or reserved fields of protocol headers.

Attackers may use specialized tools and frameworks to automate steganography, including:

• Open-source tools such as OpenStego, Steghide, and SilentEye.

• Custom scripts and libraries for embedding and extracting data.

• Commercial or proprietary malware that utilizes steganographic techniques to evade detection.

When this Technique is Usually Used

Attackers typically employ steganography across multiple stages of the cyber kill chain, including:

• Command and Control (C2):

  • Embedding C2 instructions within benign-looking images or files downloaded from public websites or social media platforms.

  • Using image-sharing or social-media platforms as covert communication channels.

• Data Exfiltration:

  • Concealing stolen sensitive data within images, audio, or video files before transferring them outside the network.

  • Uploading steganographically altered files to external services or cloud storage platforms to bypass Data Loss Prevention (DLP) systems.

• Persistence and Defense Evasion:

  • Embedding malicious payloads or configuration data within legitimate images or documents stored on compromised systems, making detection and remediation difficult.

  • Avoiding signature-based antivirus detection by embedding malware payloads inside legitimate files.

• Initial Access and Delivery:

  • Embedding malicious code within images or documents distributed through spear-phishing emails or malicious downloads, ensuring evasive initial infection.

How this Technique is Usually Detected

Detecting steganography is challenging due to its covert nature, but security teams can leverage multiple detection methods and tools:

• Network Traffic Analysis:

  • Monitoring for unusual or unexpected DNS queries and responses indicative of DNS tunneling.

  • Analyzing HTTP headers or other protocol fields for anomalies or unusual patterns that may indicate hidden data.

• File Integrity and Metadata Analysis:

  • Monitoring changes or anomalies in file metadata fields (e.g., images with unusual EXIF data or metadata fields).

  • Comparing hashes and file signatures against known-good baselines to identify altered images or media files.

• Behavioral Analysis and Anomaly Detection:

  • Using machine learning or statistical analysis to detect abnormal file usage patterns or unusual network behaviors.

  • Identifying anomalous file sizes or formats that do not match standard file-type characteristics.

• Specialized Steganalysis Tools:

  • Tools such as StegExpose, StegDetect, or OpenStego that analyze files for hidden content.

  • Advanced forensic analysis tools capable of detecting subtle manipulations in media files.

• Indicators of Compromise (IoCs):

  • Unusual outbound connections or data transfers to image-sharing platforms or social media sites.

  • Unexpected file modifications or additions of media files within system directories.

  • Detection of known steganography tools or scripts on compromised hosts.

Why it is Important to Detect This Technique

Early detection of steganography is crucial due to its potential impacts on systems and networks, including:

• Data Exfiltration Risks:

  • Sensitive data such as intellectual property, customer records, financial data, or personal identifiable information (PII) can be covertly exfiltrated, causing significant damage to organizational reputation and compliance violations.

• Command and Control Persistence:

  • Steganography enables attackers to maintain covert communication channels, facilitating persistent control over compromised systems while evading traditional detection mechanisms.

• Defense Evasion:

  • Traditional antivirus, intrusion detection systems (IDS), and Data Loss Prevention (DLP) solutions may fail to detect steganographic attacks, leaving organizations vulnerable to prolonged compromise.

• Difficulty in Incident Response:

  • Hidden data and malicious payloads embedded within legitimate files complicate forensic analysis, incident response efforts, and remediation activities.

• Potential for Advanced Persistent Threat (APT) Activity:

  • Steganography techniques are commonly employed by sophisticated threat actors and nation-state groups to conduct long-term espionage and targeted attacks, making timely detection essential for national security and organizational resilience.

Examples

Real-world examples of steganography usage in cyber attacks include:

• APT29 (Cozy Bear) and Hammertoss Malware:

  • The Russian state-sponsored group APT29 used Hammertoss malware, embedding commands within images hosted on social media platforms such as Twitter and GitHub, enabling covert C2 communication and evading detection.

• Operation Shady RAT:

  • Attackers used image steganography to conceal malware instructions and exfiltrate sensitive data from targeted organizations, evading traditional detection mechanisms.

• LokiBot Malware Campaign:

  • Attackers embedded malicious payloads within PNG image files, distributing them via phishing emails. Once opened, the malware extracted and executed hidden code, stealing sensitive credentials and data.

• Turla Group's PNG-based Steganography:

  • Turla, a sophisticated threat actor, embedded malicious payloads within PNG images hosted on compromised websites. Victims downloaded these images unknowingly, allowing attackers to establish covert C2 channels.

• ZeusVM Banking Trojan:

  • ZeusVM variant leveraged steganography by embedding configuration data within images, allowing attackers to evade detection and maintain persistent access to infected banking systems.

In each example, attackers leveraged steganography to bypass traditional security controls, evade detection, and conduct persistent attacks, emphasizing the importance of comprehensive detection efforts and proactive defensive strategies.