Skip to content

T1027.003 Steganography

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

Duqu was an early example of malware that used steganography. It encrypted the gathered information from a victim’s system and hid it within an image before exfiltrating the image to a C2 server.1

By the end of 2017, a threat group used Invoke-PSImage to hide PowerShell commands in an image file (.png) and execute the code on a victim’s system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim’s machine and communicate it back to the adversary.2

Item Value
ID T1027.003
Sub-techniques T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.2
Created 05 February 2020
Last Modified 30 March 2023

Procedure Examples

ID Name Description
S0469 ABK ABK can extract a malicious Portable Executable (PE) from a photo.9
G0138 Andariel Andariel has hidden malicious executables within PNG files.2021
G0067 APT37 APT37 uses steganography to send images to users that are embedded with shellcode.2223
S0473 Avenger Avenger can extract backdoor malware from downloaded images.9
S0234 Bandook Bandook has used .PNG images within a zip file to build the executable. 14
S0470 BBK BBK can extract a malicious Portable Executable (PE) from a photo.9
G0060 BRONZE BUTLER BRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads.9
S0471 build_downer build_downer can extract malware from a downloaded JPEG.9
S0659 Diavol Diavol has obfuscated its main code routines within bitmap images as part of its anti-analysis techniques.13
G1006 Earth Lusca Earth Lusca has used steganography to hide shellcode in a BMP image file.16
S0483 IcedID IcedID has embedded binaries within RC4 encrypted .png files.10
S0231 Invoke-PSImage Invoke-PSImage can be used to embed a PowerShell script within the pixels of a PNG file.3
G0065 Leviathan Leviathan has used steganography to hide stolen data inside other files stored on Github.19
S0513 LiteDuke LiteDuke has used image files to hide its loader component.7
G0069 MuddyWater MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.18
S0644 ObliqueRAT ObliqueRAT can hide its payload in BMP images hosted on compromised websites.15
S0439 Okrum Okrum‘s payload is encrypted and embedded within its loader, or within a legitimate PNG file.5
C0023 Operation Ghost During Operation Ghost, APT29 used steganography to hide payloads inside valid images.7
C0005 Operation Spalax For Operation Spalax, the threat actors used packers that read pixel data from images contained in PE files’ resource sections and build the next layer of execution from the data.25
S0518 PolyglotDuke PolyglotDuke can use steganography to hide C2 information in images.7
S0139 PowerDuke PowerDuke uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA).8
S0654 ProLock ProLock can use .jpg and .bmp files to store its payload.12
S0565 Raindrop Raindrop used steganography to locate the start of its encoded payload within legitimate 7-Zip code.6
S0458 Ramsay Ramsay has PE data embedded within JPEG files contained within Word documents.11
S0495 RDAT RDAT can also embed data within a BMP image prior to exfiltration.4
S0511 RegDuke RegDuke can hide data in images, including use of the Least Significant Bit (LSB).7
G0127 TA551 TA551 has hidden encoded data for malware DLLs in a PNG.17
G0081 Tropic Trooper Tropic Trooper has used JPG files with encrypted payloads to mask their backdoor routines and evade detection.24

Detection

ID Data Source Data Component
DS0022 File File Metadata

References

  1. Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018. 

  2. Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018. 

  3. Adams, B. (2017, December 17). Invoke-PSImage. Retrieved April 10, 2018. 

  4. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. 

  5. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  6. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021. 

  7. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  8. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. 

  9. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  10. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. 

  11. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel’s infiltration and isolation network. Retrieved March 24, 2021. 

  12. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. 

  13. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021. 

  14. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  15. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021. 

  16. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  17. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021. 

  18. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. 

  19. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. 

  20. Jazi, H. (2021, April 19). Lazarus APT conceals malicious code within BMP image to drop its RAT . Retrieved September 29, 2021. 

  21. Park, S. (2021, June 15). Andariel evolves to target South Korea with ransomware. Retrieved September 29, 2021. 

  22. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. 

  23. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019. 

  24. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  25. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.