Steganography: A Picture Contains a Thousand Words

Some pictures paint a thousand words, others may contain hundreds of lines of code.

Threat Intel
Threat Intel
3 min readFeb 22, 2019

--

Steganography is the practice of hiding data within data: so the meaning of the data isn’t just hidden, the fact that there is data there at all is disguised. Steganography can in theory be used in video and audio, but is probably most often seen used in images.

It is reportedly possible to trace the use of steganography back to ancient times, where people would shave the heads of their servants and tattoo a message into their scalp. They would then wait for the hair to grow back before sending the servant to the message’s recipient, who would then shave the servant’s head to read the message. Writing letters in invisible ink — a favorite trope in many ye ‘olde detective stories — would also be considered an early form of steganography.

Modern uses

Steganography developed along with our means of communication, and video, audio, and image files have all now used steganography to transmit secret messages. It has been alleged in the past that terrorist groups have used steganography to communicate, while the technique has also become increasingly popular with malware authors.

Recent examples

As far back as 2016, the Stegano campaign managed to get its ads displayed on several unnamed news sites, many of which had millions of views every day. The actors behind Stegano hid parts of its codes in banner display ads that appeared on the websites, concealing the malicious code in the alpha channel that defines the transparency of the pixels, making it difficult to detect.

The Visbot malware also used steganography to spread on Magento websites in 2016, this malware stole payment card information and hid it inside an image before sending it back to the criminals web servers. The malware waits for users to submit credit card data and intercepts it on the server-side. It takes the data and encrypts it with a public encryption key that is hardcoded in the malware’s source code. The encrypted data is packed inside an image file that is left in one of the site’s public folders, with the malware author retrieving it at regular intervals. The malware author has a private encryption key to decrypt the data, so other crooks can’t download the image and extract the credit card details.

More recently, steganography techniques were used in attempted cyber attacks in advance of the Pyeongchang Olympics in 2018, meanwhile, earlier this year, it was reported that a steganography-based ad payload was being used to drop the Shlayer malware onto the devices of Mac users. There is little doubt we will see more incidents of steganography being used in malware campaigns during 2019.

Something light to finish

A more fun way to use steganography was also demonstrated by a security researcher called David Buchanan, who uploaded the complete works of Shakespeare to Twitter, hidden in a JPEG image. Buchanan created a script that converted a multi-part RAR file into an ICC profile, and this was then embedded into a picture of Shakespeare. Buchanan then uploaded the image to Twitter and users could download, unzip the file, and extract the RAR files to get access to the complete works of the bard.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.

--

--

Threat Intel
Threat Intel

Symantec’s Threat Hunter team brings you the latest threat intelligence from the IT security world.