Steganography is the art of concealing a message or information within another seemingly innocent message. The word “steganography” comes from the Greek words “steganos,” meaning “covered,” and “graphein,” meaning “to write.” In other words, steganography is the art of hiding a message in plain sight.
In digital steganography, electronic communications may include steganographic coding inside of a transport layer, such as a document file, image file, program or protocol. Media files are ideal for steganographic transmission because of their large size.
Whereas cryptography is the practice of protecting the contents of a message alone, steganography is concerned with concealing the fact that a secret message is being sent as well as concealing the contents of the message.
The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable they are, arouse interest and may in themselves be incriminating in countries in which encryption is illegal.
Steganography has been around for centuries, and it has always been a tool for covert communication. In recent years, however, the use of steganography has increased significantly, particularly among terrorist organizations. This increase in usage has led to a rising threat of steganography being used for secret communication and stegware cyber attacks.
The steganography process generally involves inserting secret messages inside a transmission medium, which is called a “carrier”, and which has the role of concealing secret messages. The Payload refers to the information to be concealed and sent secretly, or the data covertly communicated
What is stegware?
Stegware is a type of malware that uses steganography to hide its malicious code within innocent-looking images, videos, or audio files. Stegware is a relatively new type of cyber attack that has become increasingly popular among cybercriminals and terrorist organizations.
Stegware attacks are particularly dangerous because they can bypass traditional security measures that focus on detecting malware based on known signatures. Stegware can hide its code within an image or a video file, making it virtually undetectable to traditional anti-malware software.
For a deeper understanding of Steganography and applications please visit: Cryptic Secrets: Unveiling Steganography and Stegware Cyber Attacks
Steganography is being used by terrorist and criminals.
According to nameless “U.S. officials and experts” and “U.S. and foreign officials,” terrorist groups are “hiding maps and photographs of terrorist targets and posting instructions for terrorist activities on sports chat rooms, pornographic bulletin boards and other Web sites”.
One of the most noted cases was an al-Qaeda operative who was detained in Germany in 2011 and found to be carrying plans for an attack stegged into pornographic movies. You can read more about the incident at this CNN article. There was a more recent report of ISIS relying heavily on Steganography for Operational Security. You can read more HERE. There is also evidence that drug cartels might be using Steganography to communicate.
Terrorists in cyberspace can often use different steganographic tools and encryption methods. Encryption is a way to protect certain content against unwanted and unauthorized reading or change of data. The protection level is determined by an algorithm or key (“encryption algorithm”). There are two types of encryption systems (“cryptosystems”): symmetric and asymmetric. A symmetric system of encryption uses the same “secret key” which is used both for encryption and decryption, and the asymmetric system of encryption uses one public key to encrypt messages, and other, secret one, for decryption.
The perpetrator can input hidden message in a digitized visual and audio data, which not bother the original multimedia message, but can only be discovered if searched for in a specific way.
There is a perception that members of Al Qaeda communicate by sending encrypted messages like this. Today, the encryption is not so widespread as before, because intelligence services have developed strong systems for decoding the encryption. Encryption and encrypted messages are still present on various internet forums, where terrorist organizations often leave their messages in the form of encrypted text messages to terrorist cells, which they can then publicly read. Identification of users that use this kind of encrypted communication for terrorist purposes on some internet forums is almost impossible.
The crucial argument here is that terrorists are most likely to be employing digital steganography to facilitate secret intra-group communication as has been claimed. This is mainly because the use of digital steganography by terrorist is both technically and operationally dubious.
Generally though, there are many techniques known to be able to hide messages in data using steganographic techniques. None are, by definition, obvious when users employ standard applications, but some can be detected by specialist tools. Others, however, are resistant to detection – or rather it is not possible to reliably distinguish data containing a hidden message from data containing just noise – even when the most sophisticated analysis is performed.
However, steganography can also be used for malicious purposes, such as hiding malware in legitimate files, or for spreading propaganda or misinformation. Therefore, it is essential to use steganography responsibly and ethically.
Stegomalware, also known as steganographic malware, is a type of malware that uses steganography to hide its malicious code within images, videos, or audio files. Stegomalware is designed to evade traditional detection mechanisms, such as anti-virus software and anti-malware systems, by embedding its code within an image or a video file.
Stegomalware has become an increasingly popular tool among cybercriminals because it allows them to bypass traditional security measures and remain undetected for long periods. Cybercriminals use stegomalware to deliver various types of malware, including ransomware, spyware, and Trojans.
Stegomalware is particularly dangerous because it can be challenging to detect. Traditional anti-malware software relies on signature-based detection, which looks for known malware signatures to identify and remove malware. However, stegomalware can evade this detection method by hiding its code within an image or a video file.
In recent months, the use of stegomalware has increased significantly, with more than 1,800 malware samples using image steganography identified as being actively used by cybercriminals over the last 90 days. Several prominent malware families, including Knotweed, Web Shells, Mimikatz, Rubeus, NanoCore RAT, Agent Tesla, and ZLoader, use steganography to deliver their payloads.
One of the most concerning trends in stegomalware is the use of .JPG+EXE malware. In this type of attack, a malicious .exe file is disguised within a legitimate .jpg image file. This technique allows cybercriminals to bypass email and web filtering systems, which typically block executable files from being downloaded.
Researchers have reported several successful attacks in recent weeks, which used .JPG+EXE to gain access to a network and deliver malware payloads. These attacks demonstrate the increasing sophistication of cybercriminals and the need for advanced detection techniques to detect and prevent stegomalware attacks.
In conclusion, stegomalware is a significant threat to cybersecurity, and its use is on the rise. Cybercriminals use stegomalware to bypass traditional security measures and remain undetected for long periods. To combat this threat, organizations must remain vigilant and use advanced detection techniques, such as statistical analysis and metadata analysis, to detect and prevent stegomalware attacks.
Why are terrorists using steganography?
Terrorists use steganography for the same reasons they use any other tool for covert communication: to avoid detection and interception. Steganography provides terrorists with a way to communicate secretly, without the risk of their messages being intercepted by law enforcement or intelligence agencies.
Steganography is particularly attractive to terrorists because it can be used to hide messages within innocent-looking images, videos, or audio files. These files can be easily shared on social media or other online platforms, without arousing suspicion.
Steganography as a Cybersecurity Risk Factor
Cybersecurity attackers use steganography to inject malicious code into systems also referred to as Stegware, targeted for cybersecurity exploit and exfiltrate misappropriated content from compromised systems.
For Steganography based cyber-attacks, detection is not an adequate defence. The only way of defeating the threat is to transform data in a way that destroys any hidden messages, a process called Content Threat Removal.
For example, the Sundown EK exploit kit was reported by more organizations than any other exploit kit and rose to become the top trigger across sensors in early December. As it uses steganography—namely, malicious code embedded in images—to steal information, this is a threat that needs to be watched in coming quarters.
As published in the Fortinet Q4 2017 Threat Landscape Report, steganography is a rising concern. Security researchers report a 600% upsurge in steganographically-based attacks in 2017.
While threat intelligence researchers continue to compile a growing list of indicators of compromise that can be used to detect malicious steganographic code, for the most part, steganographic attacks arrive as zero-day threats. This makes access to up-to-date threat intelligence an important element in any effective defense against steganographically-borne threats.
The sharp increase in steganographically-borne attacks, however, and the rapid growth in the rich kinds of digital content that gives steganographic code a place to hide, highlights the importance to watch for a resurgence in proven threat vectors and to ensure that you have the right technologies and cyber awareness training in place to thwart them.
How can steganography be detected?
In today’s world Steganography has been used by governments, criminal organizations, and individuals. Most modern anti-malware solutions provide little, if any, protection from steganography, while any carrier in which a payload can be secretly carried poses a potential threat. It may contain data being exfiltrated by spyware, communication between a malicious program and its C&C, or new malware.
Detecting steganography can be challenging because steganography techniques are designed to be difficult to detect. However, there are several techniques that can be used to detect steganography, such as:
- Statistical Analysis: This technique involves analyzing the statistical properties of a file to identify any anomalies that may indicate the presence of steganography.
- Metadata Analysis: This technique involves analyzing the metadata of a file to look for any hidden information that may indicate the presence of steganography.
- Visual Inspection: This technique involves visually inspecting a file to look for any hidden messages or anomalies that may indicate the presence of steganography.
- Signature-Based Detection: This technique involves searching for known steganography signatures in a file to detect the presence of steganography.
Steganography has become an increasingly popular tool for covert communication among terrorists and cybercriminals. Stegware attacks, in particular, have become a rising threat, as they can bypass traditional security measures and remain undetected for long periods.
It is essential to remain vigilant and use advanced detection techniques to detect and prevent steganography and stegware attacks. Law enforcement and intelligence agencies must stay one step ahead of terrorists and cybercriminals, by developing new and innovative ways of detecting and preventing steganography and stegware cyber attacks.