Kaspersky Lab researchers identified a new trend: malicious hackers increasingly using steganography, a digital version of an ancient technique of hiding messages inside images, to conceal the tracks of their activity.
In recent months, Kaspersky Lab researchers witnessed at least three cyberespionage operations utilizing this technique. More troublingly, the IT security company firms said, the active adoption of the technique by other cybercriminals.
Kaspersky Lab researchers discovered steganography used in updated version of Trojans including, Zerp, ZeusVM, KINS, Triton and others. Most of these malware families generally target financial organizations and financial services users. The latter could signal upcoming mass adoption by malware authors and, as an outcome, generally increased complexity of malware detection.
There are stories of steganography used during the Roman Empire whereby a messenger’s shaved scalp received a tattooed message. Once the hair grew back, they headed out. The receiver shaved the scalp to read the communication.
Today, in a typical targeted cyberattack, a threat actor, once inside the attacked network, establishes a foothold and then collects valuable information to subsequently transfer to the command and control server.
In most cases, according to Kaspersky Lab, proven security solutions or professional security analytics can identify the presence of the threat actor in the network at each stage of an attack, including the exfiltration stage. This is because the exfiltration part usually leaves tracks. for example, logged connections to an unknown or blacklisted IP address. however, Kaspersky Lab revealed when it comes to attacks using steganography, the detection of data exfiltration becomes a difficult task.
In this scenario, malicious users insert the information earmarked for theft right inside the code of a trivial visual image or video file sent to the C&C. It is therefore unlikely that such an event would trigger any security alarms or data-protection technology. This is because after modification by the attacker, the image itself would not change visually and its size and most other parameters would also remain unaltered, therefore not raising any concerns.
Kaspersky noted the scientific development and testing of a variety of steganographic methods and algorithms. This makes steganography a lucrative technique for malicious actors when it comes to choosing the way to exfiltrate data from an attacked network.
“Although this is not the first time we have witnessed a malicious technique, originally used by sophisticated threat actors, find its way onto the mainstream malware landscape, the steganography case is especially important,” Alexey Shulmin, security researcher at Kaspersky Lab said. “So far, the security industry hasn’t found a way to reliably detect the data exfiltration conducted in this way and the goal of our investigations is to draw industry attention to the problem and enforce the development of reliable yet affordable technologies, allowing the identification of steganography in malware attacks.”
Separately, Kaspersky Lab, an IT security company with 4,000 employees based in Moscow, with a U.S. base in Woburn, Mass., became an ongoing target of suspicion when the United States government blocked all its federal agencies from buying software developed by the Kaspersky Labs, claiming stealthy work with the Russian government.
Eugene Kaspersky, CEO of Kaspersky Lab, loudly defended his company in a blog. “With the U.S. and Russia at odds, somehow, my company, its innovative and proven products as well as our amazing employees are repeatedly defamed, given that I started the company in Russia 20 years ago. While this wasn’t really a problem before, I get it– it’s definitely not popular to be Russian right now in some countries.”
Kaspersky added, “Obviously, as a private company, Kaspersky Lab and I have no ties to any government, and we have never helped, nor will help, any government in the world with their cyberespionage efforts (cyberespionage is what we’re fighting!). While I find these ongoing accusations and false allegations extremely frustrating, I’ve noticed that all the attacks possess a few things in common, including: a complete lack of evidence; conspiracy theories and pure speculation; assumptions reported as irrefutable facts; anonymous sources; manipulation of widely-known facts.”
