The biggest malware infections are probably the ones that have yet to be uncovered. Earlier this month, security researchers revealed a massive malvertising-based exploit kit whose earliest variants may have been operating since 2014 and whose infected banner ads might have already been displayed to millions. How could it have remained hidden in plain sight for so long? Apparently, it evaded detection through a combination of fingerprinting/probing and steganography.
The folks at ESET, who recently carried out extensive research on this cyber attack, are attributing the infections to what they now call the Stegano exploit kit. The name comes from the way the exploit kit conceals its malicious code on banner ads, i.e., through steganography.
Steganography is a known technique (not always for malicious purposes) for concealing content inside another piece of content. In most cases, that “other piece of content” is an image. And in this particular case, that image is the one on the banner ad. The content being concealed here is a malicious script and some accompanying variables.
Stegano EK is believed to have reached millions of users. The reason is because it managed to serve its malicious ads on advertising networks whose content is displayed on high traffic news websites. The volume of visitors on these sites number in the millions … per day.
An overview of how the Stegano exploit kit works.
1. Initial environment check.
When a user arrives at an infected news site’s web page, the web page loads along with the malicious banner ad. But before loading the ad, Stegano does an initial check. It does this through a modified version of countly. Countly is a tool normally used for web analytics, so it doesn’t raise any red flags.
The modified tool then reports back to the attacker’s server, providing it with information that enables the server to determine whether to display a clean ad or a malicious ad.
2. Malicious ad is served
The malicious ad is almost identical to the clean ad, except that it has a slightly modified alpha channel. The alpha channel is that part of an RGBA (red green blue alpha) image that dictates a pixel’s degree of transparency. Because the change in the malicious image’s alpha channel is so minimal, the difference between the malicious ad and the clean ad is virtually imperceptible to the naked eye.
However, because a banner’s image consists of a large number of pixels, that difference is enough to conceal information. In this case, malicious script. That script then checks the user’s system for a vulnerability in Internet Explorer (CVE-2016-0162) which allows the exploit kit to determine whether any tools and applications normally used by security professionals are present in the system. If any packet capturing, sandboxing, virtualization and similar applications are found, the exploit kit promptly backs off.
3. Exploit stage
In the event the exploit kit determines the coast is clear, it then redirects the victim’s browser to the exploit landing page. The landing page then loads a Flash file, which in turn exploits any of three Flash-related vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117).
If the exploit succeeds, Stegano then drops its payload(s), which may range from keyloggers, trojans, to ransomware. Before downloading the payload, Stegano performs yet another check to determine the presence of security tools. It’s this highly cautious approach (coupled with steganography) that has allowed Stegano to avoid detection for so long.
Other malware that has used steganography
While the use of steganography is certainly a unique way of hiding malicious information, Stegano EK isn’t the only malware that has employed this technique. Here are some examples of malware that have also done it in the past.
A variant of the notorious banking trojan Zeus/Zbot, ZeusVM is one of the more popular pieces of malware that has used steganography. Unlike Stegano though, ZeusVM didn’t hide malicious code in an image. Instead, it hid its configuration data in it. This data, which is equally vital to the malware’s functionality, included domains of banking and financial institutions which the malware targeted.
The configuration data was appended to the image and encrypted using Base64, RC4, and XOR to make it indecipherable to anyone who decided to inspect the image more closely. The ZeusVM toolkit, which included a builder that would enable the user to inject the malware’s config to any JPG file, was spread online, so several script kiddies were able to get their hands on it.
Also known as VAWTRAK, Gozi is a banking trojan that steals personal information and credentials (usually through screen captures and keyloggers) that are then used by the attackers to carry out fraudulent transactions. Gozi leveraged steganography to hide a configuration file that contained a list of domain names that in turn corresponded to its Command and Control servers.
The configuration data was hidden in what is known as a favicon. This is a tiny icon (.ico) associated with a website that’s displayed on a web browser. So, for example, you have favicon for Wikipedia and a different favicon for, say, Yahoo. Because it’s normal for websites to be accompanied by a favicon, security solutions failed to flag the favicon downloads as threats.
Gozi more closely resembled Stegano in the manner by which it hid malicious information. Unlike ZeusVM, which simply appended malicious information to the image, Gozi (like Stegano) made very small changes to the image’s pixels. But while Stegano altered the alpha channel, Gozi altered the least significant bits (LSB) of the R, G, B, and A parameters of each pixel.
Most malware that use steganography hide malicious information in visually appealing images like cats or sunsets. However, there is one that hid the information in what looked like plain white images but actually had very small alterations in its pixels.
The use of “white color” is actually very clever because the naked eye can’t differentiate between a pure white pixel (RGB = 255,255,255) and one that’s slightly grey (e.g. RGB = 254, 254, 254). Again, that difference, when spread across the pixels that comprise the entire image, is enough to contain malicious information.
This is the kind of image that Lurk used. Lurk is primarily a downloader. When it was discovered, Lurk’s usual payload was click-fraud malware. To retrieve the URL of the malware it was configured to download, Lurk first downloaded an image (the “white” image we discussed earlier), extracted the LSB from each pixel, performed some XOR operations to decode, and then used the retrieved URL to download the actual payload.
To illustrate how difficult it is to distinguish between pure white (RGB=255,255,255) and slightly greyish white with RGB = 254,254,254, try to compare the two images below. The top NEMESIS logo uses pure white, while the bottom logo uses slightly greyish white with RGB = 254,254,254.
Can you tell the difference?
This is one piece of malware that has a couple of similarities with Stegano. Stegoloader is primarily an information stealer but consists of several modules. Its downloader module is the one that employs steganography.
Its use of steganography isn’t the only characteristic that makes Stegoloader similar to Stegano. First, like Stegano, Stegoloader initially inspects the target system to make sure it’s not running in an analysis environment or that any security tools are present. If it determines that the environment is not safe enough, it automatically aborts the attack. Secondly, unlike Gozi and Lurk, which simply hid URLs, Stegoloader (like Stegano) also hid code.
How to protect your system from Stegano
There are a couple of ways to protect yourself from a Stegano EK attack. There’s absolutely no way you can identify a malicious banner ad by simply looking at it, so you can forget about countering the steganography part of the attack.
First, you can simply avoid using Internet Explorer. The first vulnerability Stegano exploits, which allows it to detect any security monitoring software, is an IE vulnerability. So if you use Chrome, Firefox, or Safari, that could put Stegano off.
Second, you can either update your Adobe Flash installations, switch Flash off, or stop using Flash altogether. This month, Chrome will stop using Flash as the default enabler of web media. The makers of Firefox, Safari, and Edge (Microsoft’s replacement for IE) are also planning a similar move, so that’s something you might want to put into consideration when prescribing browsers to your end users.
Third, you can deploy advanced anti-malware solutions. Remember that, as part of Stegano’s (and Stegoloader’s) security avoidance techniques, it scans for security tools. If it finds one, it will back off.