A list of attacks and malware using steganography or information hiding.
- Lumma: similarly to Lurk and Stegoloader, the new Lumma stealer now uses steganography to hide payloads in images to be retrieved from a web repository
- Formbook exploits steganography: a malicious .NET executable (called MajorRevision.exe) is hidden in a compressed bitmap image
- Worok Group hides malware in PNG: LSB steganography is used to cloak data in PNG images. Worok hides two payloads: a PowerShell script and a custom .NET C# stealer able to abuse Dropbox for cloaking exfiltration and C&C communications
- Malicious PyPI Package: a malicious package published on PyPI can hide code in images and infect users through projects hosted on Github
- The Witchetty Group hides data in an old Win logo: the group developed a backdoor trojan called Backdoor.Stegmap, which downloads an image from a GitHub repository. The BMP file is an old MS Windows logo, but cloaks a payload encrypted with a XOR key
- Malware hidden in images from the James Webb telescope: a malicious executable is hidden in the certificate belonging to a picture of the the galaxy cluster SMACS 0723. To prevent detection, the cloaked Golang executable is XORed and strings are encoded in ROT25
- Docker servers targeted with Lemon_Duck: attackers gain access to exposed Docker APIs and by exploiting Lemon_Duck runs a malicious container to fetch a script hidden in a PNG image
- Massive use of steganography to implement an attack chain against French entities: image steganography is used for hiding various payloads (including a base64-encoded PowerShell script) to install the Serpent backdoor
- SteamHide exploits Steam profile images to download malware: malicious encrypted code is placed within the PropertyTagICCProfile value
- OilRig covertly communicates via emails and image steganography: secret data is embedded in BMP images and sent as the attachment of fake mails
- Enterprises in Japan and Europe attacked also by using Mimikatz: malicious XLS containing Trojan.MSExcel.Agent.be are used to retrieve an image hiding the Trojan-PSW.PowerShell.Mimikatz
- IcedID and BokBot: an image is used to retrieve the shellcode and the IcedID core (see, here for more details on the IcedID PhotoLoader)
- USBFerry uses steganography to mask a backdoor: it uses the BKDR_IDSHELL.ZTFC-A backdoor, which is hidden in a JPG and uses the DNS to communicate with its controller
- Attack at the Tupperware website with credit card skimmer: PNG file containing a malicious JavaScript (see here for similar techniques from the Magecart Group)
- MyKings Botnet hiding malicious data exchanges: malware payload is hidden in images (e.g, a JPG containing the SQL brute forcer)
- Titanium: a PNG file is used to exchange commands for a backdoor (another thechnique used by Platinum is here)
- LokiBot: data appended to a BMP is extracted to create an encrypted DLL
- LokiBot - Variant: encrypted binary is embedded in a JPG
- IcedID Trojan propagates via image steganography: the payload of the trojan is embedded in a PNG image
- ScarCruft Malware: multi-stage loading is implemented by embedding part of the payload in an image
- PHP scripts in EXIF data of JPG: PHP webshells hidden in EXIF headers of JPGs to upload malware on a website
- Okrum and Ketrican: the Stage 1 loader containing the backdoor is embedded in a valid PNG
- Stegoware-3PC: malware can redirect iOS 12 devices to a phishing site by injecting data in PNG images
- Turla: it uses backdoors placed in ad-hoc PDF and JPF mail attachments (main target was Microsoft Exchange)
- OceantLotus: malware loaded and extensions are embedded in PNG (by using LSB steganography)
- Cardinal RAT: it uses various obfuscation techniques, the first one is a .NET executable embedding a BMP containing a DLL
- Powload: it embeds malicious code in images via the Invoke-PSImage technique.
- VeryMal: malware is injected in JPG (mainly targeting macOS and iOS)
- Ursnif: malicious code is injected in images embedded in PDF files
- On the use of steganographic Twitter memes: Trojan.MSIL.BERBOMTHUM.AA embeds in memes a /print command and sends screenshots of infected machines to a C&C server (the URL is hard-coded on pastebin.com)
- Cutwail botnet spam campaign to deliver the Bebloh banking Trojan: a PowerShell script to retrieve the malware payload Ursnif is embedded in a PNG
- Games on Google Play contain Android.RemoveCode.127.origin: the 呀呀云 SDK contained trojan-like functions for covertly retrieving malicious code from a C&C server embedded in images
- Daserf Backdoor: C&C communications and 2nd stage backdoors happen via embedding data in images
- SyncCrypt: a ZIP is embedded in an image containing the components of the ransomware
- AdGholas Malvertising Campaigns: data is embedded in various images (the Astrum/Stegano exploit kit is used)
- StegBaus: the loader uses multiple PNG embedded in .NET resources
- Gatak/Stegoloader: malicious code is hidden in PNG (Gatak has been widely used to infect users visiting keygen websistes)
- PowerDuke spear phishing campaign post 2016 US elections: components of a backdoor were hidden in PNG files
- Android/Twitoor: encrypted commands are retrieved from a Twitter account acting as the C&C
- TSPY_GATAK.GTK: additional code and a list of URLs are retrieved via images
- Zberp: data is hidden in a JPG image. This is a variant of Zeus/Zbot
- XMRig Monero CPU Miner: malware loader is obfuscated in different parts of a WAV file (e.g., econded in least significative bits)
- Sunburst: data is hidden in HTTP conversations and commands are extracted via regexp scanning bodies of HTTP responses
- Okrum and Ketrican: C&C communications are hidden in HTTP traffic, i.e., in Set-Cookie and Cookie headers of HTTP requests
- DarkHydrus: it uses DNS tunneling to transfer information, which is a technique observed in the past also in Morto and Feederbot malware
- Steganography in contemporary cyberattacks: a general review including Backdoor.Win32.Denis hiding data in a DNS tunnel for C&C communications
- ChChes: the malware uses Cookie headers of HTTP for C&C communications
- NanoLocker: the ransomware hide data in ICMP packets
- FAKEM RAT: C&C communications are camouflaged in Yahoo! Messenger and MSN Messenger as well as HTTP (strictly not network steganography!)
- Maldoc targeting Azerbaijan: a .doc document written in Azerbaijani contains an obfuscated macro and extract a copy of FairFax (i.e., a .NET RAT)
- PHP Malware: a payload (Web Shell) has been found encoded in whitespaces of a license.php file via a publicly available proof-of-concept text steganography method
- Astaroth: the description of YouTube channels hides the URL of command and control servers.
- Platinum APT: C&C data is hidden in the order of HTML attributes and its encryption key in spaces among HTML tags
- L. Caviglione, W. Mazurczyk, Never Mind the Malware, Here’s the Stegomalware, IEEE Security & Privacy, Vol. 20, No. 5, pp. 101-106, September-October 2022, doi: 10.1109/MSEC.2022.3178205.
- K. Cabaj, L. Caviglione, W. Mazurczyk, S. Wendzel, A. Woodward, S. Zander, The New Threats of Information Hiding: The Road Ahead, IT Professional, Vol. 20, No. 3, pp. 31-39, May/June 2018, doi: 10.1109/MITP.2018.032501746.
- W. Mazurczyk, L. Caviglione, Information Hiding as a Challenge for Malware Detection, IEEE Security & Privacy, Vol. 13, No. 2, pp. 89-93, March-April 2015, doi: 10.1109/MSP.2015.33.
This work was supported by the Horizon 2020 Program through SIMARGL H2020-SU-ICT-01-2018, Grant Agreement No. 833042.