Growing Cyberthreat: Steganographic Malware Hiding In Images

As defenses against standard cyberattacks evolve, so do the methods of attack carried out by malicious actors. Security researchers say a type of attack known as steganographic malware is on the rise.

Gary Davis, the chief consumer security evangelist at cybersecurity firm McAfee, warned of the relatively new style of attack, which involves embedding secret code into images that can be extracted for use in an attack.

Read: NSA Malware DoublePulsar: How To Test If Your Computer Has Been Infected

Steganographic malware requires an attacker to hide a secret algorithm within an image. An attacker then sends that image to a target’s system. Once the image is on the victim’s machine, a piece of malicious software is able to extract the information coded into the image to carry out the attack.

Steganographic attacks are most often carried out as a way to bypass security protocols as the information hidden in the image is undetectable to the human eye — it appears as any other image file — and is difficult for security tools to identify.

The style of attack is not necessarily new. Steganography cyberattacks were first spotted in 2011 as a means to spread the Duqu malware — an attack that was once referred to as “the most sophisticated malware ever seen.”

However, the style of attack has been far less common than other forms of malware. McAfee’s most recent threats report issued for June 2017 spotted a sudden spike in steganographic attacks, giving users a new reason to watch out for seemingly innocuous looking images that could secretly carry compromising code.

Read: Fireball Malware: Cyberattack Infects 250 Million Devices, 20 Percent Of Corporate Computer Networks

The particular attack being used to spread the code for the Stegoloader malware, which has the capability of stealing user information, including browser history, and executing additional malicious code to further compromise a machine, including ransomware that can encrypt a victim’s files and hold them hostage until a ransom is paid.

The malware code is hiding in an image that has been spread in torrent files for pirated software. When the user downloads the software and begins the installation process, the image opens and begins downloading the malware onto the machine.

Davis said users can avoid these types of attacks by not downloading software from potentially sketchy sources. Torrent sites are not known for stringent security, so downloading any software from those sources carries a risk.

In addition, it’s advised that users look into what files are associated with a download before opening. Even on torrent sites, it’s often possible to view what files are included in a download beforehand. If there is a .png image file that seems unrelated to the download, it’s best to steer clear.

Finally, while it may be difficult for some security solutions to catch the code in an image file, most are able to spot unapproved activity on a machine — especially as the malware attempts to download more malicious software. Having an antivirus tool installed and regularly scanning downloaded files before moving forward with the installation process is encouraged.