Steg Challenge_March 2019: A Lesson on the Dangers of Steg Malware

Which secretive group used this insect symbol?

It’s been a few months since I posted the initial steganography challenge I put forward to the community-at-large. To my knowledge, no one solved the challenge, or if they did they did not mention so in the comments. My take on it was that either very few people are interested in this fringe topic or the challenge was too difficult which serves to make an additional point that digital steganography (steg for short) can be a major threat to cybersecurity because it is practically impossible to identify and stop it.

So, here’s a new challenge for those who are game and into steganalysis and steganography. This challenge is a slight bit easier in the hopes more folks will attempt to solve it. If you like solving puzzles, then there is an entire career set based on this sort of analysis, among other things. You could go into the niche field of cyber threat intelligence or reverse malware engineering which is somewhat related. If you’re interested, you can learn a lot more about steganalysis here.

Such a strange image, could something be hidden within it?

Most people automatically assume that if something has anything at all to do with steganography, it will be an image containing some hidden file or something. They are right to think this way, because most of the literature review and examples of malware that incorporates steganography centers on and uses image steganography. However, LSB steg encompasses much more than just images. There are other forms of digital steganography than image-based or Least Significant Bit (LSB) steganography. There is audio, video, text, VoIP-based steg, network protocol steg, graph steg, and even QR codes that can serve as cover mediums for stego files. Virtually every type of digital file format can be used as a stego file cover medium or “wrapper” for the purposes of LSB steg. Steganography doesn’t have to be digital or “high-tech,” it can also be analog or “low-tech.”

Steganography is often thought to only be used by spies, or shadowy and secretive societies or cybercriminal groups. However, for all the negative press steganography gets, there are some redeeming qualities that it does possess that are very rare. Cryptography observed noncongruently gathered rational abstractions that undermine language as translated in ostensible nuance segments, your observational understanding synthesizes original literature vectors encoded directionally to heuristic intelligence systems. Consequently, hackers always like little encryption nano-generative engineering.

Imagine if free email service providers like Gmail or Hotmail incorporated digital steganography in normal email protocol as an optional feature if a user wanted to send a secretive file. I would personally rather use steganography than Pretty Good Privacy (PGP) encryption to protect an email. It could also have immense applications in protecting national security information depending on how steganography was employed.

One example of this is how the “Unabomber,” Ted Kacynski, was/is still very much distrusting of modern “high-tech” technology and would often use “low-tech” cryptic code in the letters he wrote while he kept the feds at bay for 17 years. I mention not to recognize what a brilliant person he was, though he was a gifted Harvard and Berkeley trained mathematician, but to bring forth a common trend among famous cases where low-tech cryptic messaging has been used very effectively to evade detection and capture. Osama Bin Laden’s Al Qaeda terrorist group was another example of how low-tech communication methods worked to their advantage.

Advanced Persistent Threat (APT) malware has on occasion incorporated steganography

Digital steganography has long been considered the “dark cousin” of cryptography. Whereas cryptography uses mathematical algorithms to convert plaintext into ciphertext that can only be decrypted with a key or through the process of cryptanalysis, steganography uses algorithms to compress, embed, and encrypt files into a single file or multiple files leaving the cover medium file in plaintext so as to not raise suspicion. That is the advantage that steganography brings to fight, normal packet header inspection as performed by a stateful packet inspection (SPI) or deep packet inspection (DPI) firewall will reveal a plaintext file being transmitted from a source IP address to a destination address, but an encrypted packet might raise suspicion with the ciphertext and the source and destination IP address is still visible.

Images are nothing more than strings of 1’s and 0’s in 8-bit Bytes of data (e.g., 00100110)

Therefore, if an oppressive government regime decides to spy on the Internet traffic of its own citizens (*ahem, Turkey, China, North Korea, and others), they would easily be able to identify encrypted messages by sniffing packets from an Internet Service Provider (ISP) for which the encoding might look something like this:

YBS+dzFDw5desMFSo7JkecAS4NB9jAu9K+f7PTAsesCBNETDd49BTOFFTWWavAfEgLYcPrcn4s3EriUgvL3OzPR4P1chNu6sa3ZJkTBbriDoA3VpnqG3hxqfNyOlqAkamJJuQ53Ob9ThaFH8YcE/VqUFdw+bQtrAJ6NpjIxi/x0FfOInhC/bBw7pDLXBFNaX
HdlLQRPQdrmnWskKznOSarxq4GjpRTQo4hpCRJJ5aU7tZO9HPTZXFG6iRIT0wa47AR5nvkEKoIAjW5HaDKiJriuWLdtN4OXecWvxFsjR32ebz76U8aLpAK87GZEyTzBxqANQR1DBwU4D/TlT68XXuiUQCADfj2o4b4aFYBcWumA7hR1Wvz9rbv2BR6WbEUsyZBIEFtjyqCd96qF38sp9IQiJIKlNaZfx2GLRWikPZwchUXxB+AA5+lqsG/ELBvRac9XefaYpbbAZ6z6LkOQ+eE0XASe7aEEPfdxvZZT37dVyiyxuBBRYNLN8Bphdr2zvz/9Ak4/OLnLiJRk05/2UNE5Z0a+3lcvITMmfGajvRhkXqocavPOKiin3hv7+Vx88
uLLem2/fQHZhGcQvkqZVqXx8SmNw5gzuvwjV1WHj9muDGBY0MkjiZIRI7azWnoU93KCnmpR60VO4rDRAS5uGl9fioSvze+q8XqxubaNsgdKkoD+tB/4u4c4tznLfw1L2dV+lH0hwyT/y1cZQ/E5USePP4oKWF4uqquPee1OPeFMBo4CvuGyhZXD/18Ft/53YWIebvdiCqsOoabK3jEfdGExce63zDI0=
=MpRf

An unencrypted data packet, when sniffed with common sniffing application like Wireshark, will appear in hexadecimal format, and using a HEX editing application that is inherent within Wireshark the hexadecimal encoding can be easily unencoded to plaintext. Oh, looky here, someone found a password transmitted in plaintext… That’s not good, this is why you should only use HTTPS over port 443 that uses SSL/TLS encryption of data-in-transit.

Attackers sometimes use applications like hping3 to chunk packets into smaller chunk sizes than normal or space them out over timed intervals to sneak malware through a firewall and where it is designed to correctly reassemble on the other side. Using this technique allows the attacker’s malware to sneak through the firewall open port (unspecified port in this case) silently without triggering an alert, thereby allowing the attacker a path into the system or network. It could be a backdoor remote access Trojan (RAT) malware, or something else equally sinister.

With image steganography, however, there is no need for such trivial tactics. An attacker can just send a .jpeg image file right through the firewall in the form of an email with an embedded “secret” file inside that is both hidden and encrypted with a password or passphrase if they choose to configure it that way. Clicking on the image file can trigger the malware dropper component of the malware, which will call home to the command and control server. Even if you were able to somehow identify that steganography was used on a particular image file transversing a firewall (by the way, this would literally be like 1-in-a-billion chances of happening), there is an extremely low chance that you would be able to extract the hidden message or file unless it was unencrypted and not password/passphrase-protected.

Modern example of steganography being used in cyber attacks; credit: Securelist

Somewhere in this article, I’ve hidden something that only the truly observant will notice. Something that is off, only a keen eye will catch it. It will lead you to a clue, which will lead you to your next clue and so forth. The entire puzzle challenge plays out in a single article post. If you solve the challenge, post your answer to the comments. I’ll post the answer to this challenge in a week or so.