Within the most innocent looking images, breathtaking scenery, or funny memes, something dangerous could be hidden and waiting for the moment.
There are no strange file names. There are no anti-virus warnings. Just a harmless image, secretly hides payloads that can steal data, run malware and take over the system without tracing.
This is Steganography, a secret weapon of cybercrime, for hiding malicious code within harmlessly-looking files. By embedding data in images, the attacker avoids detection and relies on separate scripts or processes to extract and execute hidden payloads.
Let’s break down how this works, why it’s so dangerous, and most importantly, how to stop it before it’s too late.
What is steganography in cybersecurity?
Steganography is the practice of hiding data within another file or media. Unlike encryption that scrambles data for easier readability, steganography disguises malicious code in harmlessly-looking images, videos, or audio files, making it almost invisible to traditional security tools.
In a cyberattack, the enemy embed the payload in an image file, which was later extracted and executed in the victim’s system.
Why cybercriminals use steganography:
Security Tool Avoidance: Hidden code in the image bypasses antivirus and firewalls. No suspicious files: The attacker does not need obvious executables. Low detection rate: Traditional security scans rarely inspect malware images. Stealth Payload Delivery: Malware remains hidden until extracted and executed. Bypass email filter: Malicious images do not trigger standard phishing detection. A versatile attack method: Can be used for phishing, malware delivery, and data removal.
How Xworm uses steganography to avoid detection
Let’s take a look at the malware campaigns analyzed within the any.run interactive sandbox, which show you exactly how to use steganography in multi-stage malware infections.
View analysis sessions with XWorm
Steganography Campaign Starting with Fishing PDF
Step 1: Attack starts with a phishing PDF
In any.run sandboxing session, you will see that everything starts with a PDF attachment. This document contains malicious links that trick users into downloading .reg files (Windows Registry Files).
Investigate advanced features of Any.run to uncover hidden threats, enhance threat detection, and actively defend your business from sophisticated attacks.
Try any.run now
At first glance, this may seem unsafe. However, opening a file changes the system registry and plantes hidden scripts that run automatically when the computer restarts.
.REG file used to modify the resist in the .RUN sandbox
Step 2: RegistryScript adds hidden boot process
When the .reg file is executed, the script is gently injected into the Windows Autorun registry key. This ensures that the malware starts the next time the system restarts.
At this stage, no actual malware has been downloaded yet, only dormant scripts waiting for activation. This makes the attack so despicable.
Changing the Autorun value in the registry detected by any.run
Step 3: Running PowerShell
After a system reboot, the registry script triggers PowerShell and downloads the VBS file from the remote server.
Within the any.run sandbox, this process appears on the right side of the screen. Click PowerShell.exe to find the downloaded file name.
Download the VBS file in a secure environment
At this stage there is no obvious malware. Just a script that gets what looks like a harmless file. However, the actual threat is hidden within the next step. In this step, you use steganography to hide the payload in the image.
Step 4: Activating steganography
Instead of downloading the executable, the VBS script retrieves the image file. However, what is hidden in the image is a malicious dll payload.
Images with malicious dll payload detected by any.run
With offset 000D3D80 inside any.run, you can determine where malicious DLLs are embedded in the image file.
Static analysis of malicious images
In static analysis, the image looks legal, but when you inspect 160 tabs and scroll down, you will see the <> flag.
Immediately after this flag is the “TVQ”, the base 64-encoded MZ signature of the executable. This has confirmed that steganography is used to hide the Xworm payload in the image and can bypass security detection until extracted and executed.
Step 5: XWORM is deployed in the system
The final step of the attack involves running the extracted DLL and injecting XWORM into the AddInProcess32 system process.
Detected in xworm malware any.run sandbox
At this point, the attacker will gain remote access to the infected machine and allow:
Commands that run commands that steal sensitive data use additional malware to use infected systems as a starting point for further attacks
Uncover hidden threats before they hit
Steganography-based attacks are an increasing challenge for businesses, as traditional security tools often overlook hidden malware in images and other media files. This allows cybercriminals to bypass detection without triggering alarms, steal data and infiltrate the infiltrating system.
Tools like any.run’s interactive sandbox allow security teams to visually track every stage of an attack, discover hidden payloads, and analyze suspicious files in real time.
Save time with fast threat analysis: Get initial results in just 10 seconds and streamline your threat assessment process. Collaborate efficiently: instantly share results and collaborate in real-time sessions to accelerate team tasks. Simplify your research: Use Any.run’s intuitive interface and real-time flags to reduce workloads and increase productivity. Get actionable insights: leverage extracted IOCs and MITRET & CK mapping for effective triage, response and threat hunting. Enhanced response: Improve data transfer from SoC Tier 1 to SoC Tier 2 with comprehensive reports for more effective escalation.
Proactively monitoring suspicious activity and testing potential threats in a controlled environment is key to strengthening your cybersecurity attitude.
Try any.run’s advanced features to get deeper visibility into threats and make faster, data-driven decisions to protect your business.
Source link
