Stegomalware: Downloaded Images May Not be as Safe as They Look

As both awareness of, and protection against, malware increases, it is inevitable that the threat actors will conjure up new ways to achieve their goals and inject malicious programs.  

One such method being increasingly utilised is that of steganography to hide malware inside of typically safe file types. Coined ‘stegomalware’, this variant uses steganography in attempt to hinder detection. 

Steganography is the practice of concealing a message within another message or physical object and originates from the Greek word ‘steganographia’. Within a computing context, steganography is to conceal a file, message, image or video within another file, message, image, video or network traffic. 

A steganographic system is built within a file to hide malicious data and then extract and execute it dynamically. It is considered one of the most sophisticated and stealthy ways of obfuscation.  

Image file practicality  

An image file is the most common filetype injected with stegomalware. Other types of file can also be used but the make-up of an image file makes them a particularly effective medium for concealing secret data. An image file, such as .jpg, .png or .bmp is simply just a stream of bytes, and when done correctly, hidden data can be stored within such files quite easily with detection potentially very difficult.  

Given the nature of image file formats, not only text strings but also entire files can be hidden in them. Moreover, depending on the technique used, the overall file size of the original image can be prevented from being inflated which would be a red flag to the image being more than it appears on the surface.  

Malware can be executed via digital images by exploiting them to: conceal malware settings or a configuration file; provide malware with a URL from which additional components can be downloaded from or store the entire malicious code directly. 

How steganography hides information in an image 

There are different ways to hide data in an image file. 

One way is to simply add the malicious data to the end of the file. This would not stop the image from being displayed, nor would it change its visual appearance. 

An entire file could be attached to the original file in this way by using the RAR archive format. An image viewer would only read the code related to displaying the image and would ignore everything else. An archiving program, however, would reveal the secret file stored within. A malicious actor or program could easily extract this appended file. 

There are notable drawbacks to using this technique, however. The file size is likely to be inflated by attaching additional data and files to the end of the image file. As well as this, the file’s hash will be changed, and security software is likely to detect obscurities with the file. 

A more effective technique involves manipulating the code of the image at binary level and altering the least significant bits (LSB) of individual pixels. A colour image is made up of individual pixels that can be represented by 3 bytes, one each for red, green and blue (RGB). 

The least significant bits (the last 4) of the binary of each of red, green and blue do not make much impact on the colour’s visual appearance. Therefore, if the last 4 bits of the colours of pixels are altered to include malicious code and a program is constructed to read these last 4 bits separately, malware can very effectively be hidden.  

There would essentially be two pixels in one and so the file size would not increase, and there would be no discernible difference to the visual presentation of the image. The file’s format would not change and simple detection methods relying on file scanning would not detect any issue. There would be no way to detect any activity until the code is reassembled by the attacker. 

Examples of stegomalware  

This type of malware is often spread through phishing campaigns. Executable code can be downloaded from remote servers through files that may appear to be legitimate images. Some examples of stegomalware are: 

• Cerber – embeds malicious code in image files 
• SyncCrypt – ransomware hiding part of its core code in image files 
• Zbot – attaches data to the end of a JPEG file 
• AdGholas – hides malicious JavaScript within a file 
• ZeroT – Chinese malware hidden in an image of Britney Spears 

How to defend yourself 

A main reason why stegomalware is used is because it can be harder to detect. By hiding malicious code inside of other files, many standard antivirus detection suites are likely to remain unalerted. Nevertheless, there are other ways to remain vigilant against this threat: 

• Do not download files from illegitimate sources or from places you cannot be sure they are not unadulterated 
• Check your task manager for running tasks and programs which may look suspicious, especially when you can hear your device’s processor working hard for no apparent reason 
• Utilise behavioural A.I. software that can detect the execution of malicious code 
• Take a moment to consider whether the seemingly harmless file you have downloaded is actually so, and what is the purpose for it to have been downloaded to your system 

Conclusion 

Beforehand it was simpler to detect malicious software. The filetype would likely have been a clear executable like .exe and it may have been bundled together with other files you had downloaded. As protection and intelligence against this simple injection increased, threat actors had to evolve. 

By hiding malicious code or files within another file, an effective way to obfuscate the data was found. Cybersecurity solutions will be developing ways to counter such methods, but for now they are growing in frequency.  

Always remain vigilant and do not underestimate the seemingly harmless image file that may have been downloaded onto your computer.