Keypoints
- Steganography conceals data inside digital media to bypass signature-based defenses.
- Common carriers include images (.png, .jpg), audio, video, and text files.
- Threats use steganography for command delivery, payload hiding, and covert exfiltration.
- Detection requires file analysis, metadata inspection, and behavioral monitoring of processes handling media.
- Tools and heuristics can flag anomalies like unusual entropy, modified headers, or decoding activity.
Description:
- Like writing a secret message in invisible ink on a postcard, steganography hides malicious content inside everyday files so it looks harmless to casual inspection.
- Adversaries embed data or code within media files (images, audio, video, or text) to smuggle commands, encrypted data, or payloads to/from victims. This enables covert communication and exfiltration while reducing the chance of detection by scanners that focus on known malware signatures.
Detection:
- Monitor file metadata and hashes for unexpected changes; alert on sudden modifications to images, audio, or video files by user or system processes. Use file integrity monitoring (FIM) tools to track differences.
- Inspect file entropy and statistical anomalies; high or irregular entropy in otherwise simple images can indicate embedded data. Use tools like binwalk, steghide, zsteg, and ent for automated checks.
- Scan for known steganography tool signatures and decode artifacts; maintain YARA rules and indicators for common stego tools and leftover strings in decoded buffers.
- Log and analyze process behavior that opens, writes, or decodes media files; correlate with network activity to identify suspicious uploads or outbound connections following media handling.
- Monitor outbound traffic for large or frequent transfers of media files to uncommon destinations; use proxy logs, DNS logs, and egress filtering to spot exfiltration patterns.
- Watch for scripts or interpreters (PowerShell, Python, cmd) invoked with unusually large literals or embedded binary blobs; instrument command-line auditing and script block logging to capture hidden payload usage.
- Combine static and dynamic analysis in sandbox environments for suspicious media; extract and attempt decoding with multiple stego techniques to reduce false negatives. Tune alerts to reduce false positives from benign media editing workflows.
Tactics:
Defense Evasion
Platforms:
Linux, Windows, macOS
Data Sources:
File: File Metadata
Relationship Citations:
(Citation: Volexity PowerDuke November 2016),(Citation: ESET Okrum July 2019),(Citation: Talos Oblique RAT March 2021),(Citation: ClearSky MuddyWater Nov 2018),(Citation: CISA AA21-200A APT40 July 2021),(Citation: ESET Operation Spalax Jan 2021),(Citation: Zscaler Pikabot 2023),(Citation: Group IB Ransomware September 2020),(Citation: MalwareBytes Lazarus-Andariel Conceals Code April 2021),(Citation: Talos Group123),(Citation: Trend Micro Tick November 2019),(Citation: TrendMicro Tropic Trooper May 2020),(Citation: CheckPoint Bandook Nov 2020),(Citation: TrendMicro EarthLusca 2022),(Citation: Antiy CERT Ramsay April 2020),(Citation: Unit 42 TA551 Jan 2021),(Citation: Fortinet Diavol July 2021),(Citation: Securelist ScarCruft May 2019),(Citation: Symantec RAINDROP January 2021),(Citation: ESET Dukes October 2019),(Citation: GitHub Invoke-PSImage),(Citation: Unit42 RDAT July 2020),(Citation: Juniper IcedID June 2020),(Citation: Kaspersky Andariel Ransomware June 2021),