Malware Using Steganography to Hide Malicious Code

The biggest malware infections are probably the ones that have yet to be uncovered. Earlier this month, security researchers revealed a massive malvertising-based exploit kit whose earliest variants may have been operating since 2014 and whose infected banner ads might have already been displayed to millions. How could it have remained hidden in plain sight for so long? Apparently, it evaded detection through a combination of fingerprinting/probing and steganography.

The folks at ESET, who recently carried out extensive research on this cyber attack, are attributing the infections to what they now call the Stegano exploit kit. The name comes from the way the exploit kit conceals its malicious code on banner ads, i.e., through steganography.

Steganography is a known technique (not always for malicious purposes) for concealing content inside another piece of content. In most cases, that “other piece of content” is an image. And in this particular case, that image is the one on the banner ad. The content being concealed here is a malicious script and some accompanying variables.

Stegano EK is believed to have reached millions of users. The reason is because it managed to serve its malicious ads on advertising networks whose content is displayed on high traffic news websites. The volume of visitors on these sites number in the millions … per day.


An overview of how the Stegano exploit kit works.

1. Initial environment check.

When a user arrives at an infected news site’s web page, the web page loads along with the malicious banner ad. But before loading the ad, Stegano does an initial check. It does this through a modified version of countly. Countly is a tool normally used for web analytics, so it doesn’t raise any red flags.

The modified tool then reports back to the attacker’s server, providing it with information that enables the server to determine whether to display a clean ad or a malicious ad.


2. Malicious ad is served

The malicious ad is almost identical to the clean ad, except that it has a slightly modified alpha channel. The alpha channel is that part of an RGBA (red green blue alpha) image that dictates a pixel’s degree of transparency. Because the change in the malicious image’s alpha channel is so minimal, the difference between the malicious ad and the clean ad is virtually imperceptible to the naked eye.

However, because a banner’s image consists of a large number of pixels, that difference is enough to conceal information. In this case, malicious script. That script then checks the user’s system for a vulnerability in Internet Explorer (CVE-2016-0162) which allows the exploit kit to determine whether any tools and applications normally used by security professionals are present in the system. If any packet capturing, sandboxing, virtualization and similar applications are found, the exploit kit promptly backs off.


3. Exploit stage

In the event the exploit kit determines the coast is clear, it then redirects the victim’s browser to the exploit landing page. The landing page then loads a Flash file, which in turn exploits any of three Flash-related vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117).

If the exploit succeeds, Stegano then drops its payload(s), which may range from keyloggers, trojans, to ransomware. Before downloading the payload, Stegano performs yet another check to determine the presence of security tools. It’s this highly cautious approach (coupled with steganography) that has allowed Stegano to avoid detection for so long.


Other malware that has used steganography

While the use of steganography is certainly a unique way of hiding malicious information, Stegano EK isn’t the only malware that has employed this technique. Here are some examples of malware that have also done it in the past.



A variant of the notorious banking trojan Zeus/Zbot, ZeusVM is one of the more popular pieces of malware that has used steganography. Unlike Stegano though, ZeusVM didn’t hide malicious code in an image. Instead, it hid its configuration data in it. This data, which is equally vital to the malware’s functionality, included domains of banking and financial institutions which the malware targeted.

The configuration data was appended to the image and encrypted using Base64, RC4, and XOR to make it indecipherable to anyone who decided to inspect the image more closely. The ZeusVM toolkit, which included a builder that would enable the user to inject the malware’s config to any JPG file, was spread online, so several script kiddies were able to get their hands on it.



Also known as VAWTRAK, Gozi is a banking trojan that steals personal information and credentials (usually through screen captures and keyloggers) that are then used by the attackers to carry out fraudulent transactions. Gozi leveraged steganography to hide a configuration file that contained a list of domain names that in turn corresponded to its Command and Control servers.

The configuration data was hidden in what is known as a favicon. This is a tiny icon (.ico) associated with a website that’s displayed on a web browser. So, for example, you have favicon for Wikipedia and a different favicon for, say, Yahoo. Because it’s normal for websites to be accompanied by a favicon, security solutions failed to flag the favicon downloads as threats.

Gozi more closely resembled Stegano in the manner by which it hid malicious information. Unlike ZeusVM, which simply appended malicious information to the image, Gozi (like Stegano) made very small changes to the image’s pixels. But while Stegano altered the alpha channel, Gozi altered the least significant bits (LSB) of the R, G, B, and A parameters of each pixel.



Most malware that use steganography hide malicious information in visually appealing images like cats or sunsets. However, there is one that hid the information in what looked like plain white images but actually had very small alterations in its pixels.

The use of “white color” is actually very clever because the naked eye can’t differentiate between a pure white pixel (RGB = 255,255,255) and one that’s slightly grey (e.g. RGB = 254, 254, 254). Again, that difference, when spread across the pixels that comprise the entire image, is enough to contain malicious information.

This is the kind of image that Lurk used. Lurk is primarily a downloader. When it was discovered, Lurk’s usual payload was click-fraud malware. To retrieve the URL of the malware it was configured to download, Lurk first downloaded an image (the “white” image we discussed earlier), extracted the LSB from each pixel, performed some XOR operations to decode, and then used the retrieved URL to download the actual payload.

To illustrate how difficult it is to distinguish between pure white (RGB=255,255,255) and slightly greyish white with RGB = 254,254,254, try to compare the two images below. The top NEMESIS logo uses pure white, while the bottom logo uses slightly greyish white with RGB = 254,254,254.


Can you tell the difference?




This is one piece of malware that has a couple of similarities with Stegano. Stegoloader is primarily an information stealer but consists of several modules. Its downloader module is the one that employs steganography.

Its use of steganography isn’t the only characteristic that makes Stegoloader similar to Stegano. First, like Stegano, Stegoloader initially inspects the target system to make sure it’s not running in an analysis environment or that any security tools are present. If it determines that the environment is not safe enough, it automatically aborts the attack. Secondly, unlike Gozi and Lurk, which simply hid URLs, Stegoloader (like Stegano) also hid code.


How to protect your system from Stegano

There are a couple of ways to protect yourself from a Stegano EK attack. There’s absolutely no way you can identify a malicious banner ad by simply looking at it, so you can forget about countering the steganography part of the attack.

First, you can simply avoid using Internet Explorer. The first vulnerability Stegano exploits, which allows it to detect any security monitoring software, is an IE vulnerability. So if you use Chrome, Firefox, or Safari, that could put Stegano off.

Second, you can either update your Adobe Flash installations, switch Flash off, or stop using Flash altogether. This month, Chrome will stop using Flash as the default enabler of web media. The makers of Firefox, Safari, and Edge (Microsoft’s replacement for IE) are also planning a similar move, so that’s something you might want to put into consideration when prescribing browsers to your end users.

Third, you can deploy advanced anti-malware solutions. Remember that, as part of Stegano’s (and Stegoloader’s) security avoidance techniques, it scans for security tools. If it finds one, it will back off.

SF Transit System Held Hostage by Ransomware

sf-muni-ransomware-attackWhile most ransomware incidents go unreported, the attack on San Francisco’s Municipal Transport Agency (locally known as Muni) last Black Friday was hard to keep under wraps. The conspicuous message on the screens at ticketing agents’ booths said it all: “You Hacked, ALL Data Encrypted, Contact For Key (,Enter Key.”

SFMTA, which operates fleets of buses, cable cars, historic streetcars, light railway vehicles (subway), trolley buses and a handful of other public transportations, is now part of a rapidly growing list of businesses that have been victimized by ransomware. For more about this highly disruptive menace of a malware, read our post “The Secrets Behind Ransomware’s Surging Notoriety”.

The disruption from the ransomware attack on Muni, which affected over 2,000 computers, began Friday night and continued the entire Saturday. Affected systems had their hard drives encrypted, forcing the SFMTA to switch off ticket machines at the subway stations. As a result, the commuters were able to get free rides that weekend.

People who communicated with the email address left by the hackers were told that the ransom amount was 100 bitcoins, roughly equivalent to $73,000. This is much bigger than another high-profile ransomware attack that happened earlier this year.

In that attack, the Hollywood Presbyterian Medical Center ended up paying the ransom of $17,000 worth of bitcoins. Although most attacks only cost about $600-$700, there have been reports of ransom demands reaching up to as high as $150,000.

According to the extortionist who replied at the Yandex email address, SFMTA was not a victim of a targeted attack. Rather, it was more likely that someone working at SFMTA unwittingly downloaded a trojan that actually contained the ransomware. The reason the malware was able to spread through the network was likely because the user might have been using a workstation with admin level privileges.

This is consistent with the common characteristics of ransomware. They’re usually designed to spread through non-targeted phishing attacks and exploit kits. Whomever accidentally downloads the malware becomes a victim. Not all ransomware has worm-like capabilities that allow it to propagate through the network, but sadly for SFMTA, this one did.

There has been no indication that SFMTA paid any ransom to get their systems back. In fact, it’s believed their IT folks managed to recover from backups. Backups are an effective way of recovering from a ransomware attack. However, you shouldn’t be over-dependent on them, as ransomware developers have started introducing features that enable their malware to spread to backup systems as well.

So, which particular ransomware was responsible for this attack? Apparently, that distinction goes to HDDCryptor. Upon infection, which is initiated through a downloaded executable, HDDCryptor drops several components in the Windows root folder and then runs a service known as DefragmentService. The service is responsible for maintaining the malware’s persistence in the infected system.

HDDCryptor is designed to identify currently mounted drives as well as previously connected drives and then encrypt all files. To encrypt, the malware relies on an open source disk encryption software known as DiskCryptor. DiskCryptor also enables HDDCryptor to overwrite the Master Boot Record and display the ransom message.

Because of the malware’s capability to scan the system for mounted drives and previously accessed network folders, it’s highly possible that backups (depending on how they were configured) were also infected.

This particular case brings to the fore the cyber threats faced by public transportation and utilities. While this attack fortunately did not result in any physical harm, future attacks might not be as harmless.