Stegware use increases for hackers
   Â
Security experts are warning of an increaasing of steganography as to spread malware. Steganography os becoming the tool for hackers not just to infect, but to control, steal data and and to encrypt files. The latest steganography threat is that "stegware" hacking tools are common on Dark Web hacker forums. These tools are now standard features on hacker forums. Previously, only talented hackers knew how to make their own stegware. Now these tools have filtered down for any hacker to buy and use.
   Â
For years, steganography has existed as a rare threat when it comes to malware infection methods. In 2016, the Sundown exploit kit used PNG files to hide exploit code using steganography. But over the past year researchers say steganography has been used in malware programs and cyberespionage tools going by the names of Microcin, NetTraveler and Invoke-PSImage. It used to be used by terrorists to communicate without anyone knowing what was being said. Now it's about hackers using it to hide from detection defenses. Hackers can hide dangerous code, a command-and-control channel or using it to steal sensitive data without detection.
   Â
In a report by IBM X-Force, researchers detected three malware samples in network attacks containing cryptocurrency CPU-mining tools hidden within fake image files. It estimates a six-fold increase in the use of steganography to hide embedded mining tools in images. In August, Kaspersky Lab researchers reported seeing steganography used in updated versions of trojans Zerp, ZeusVM, and Triton. Steganography was also used in the Pyeong Chang Winter Olympics hacks in February. According to McAfee researchers, the attackers used the open-source tool Invoke-PSImage to embed the PowerShell script into an image file. One example included a single pixel containing a PowerShell script that can run when opening within a browser. The method employs splitting malicious code into two pieces and then bootstrapping them back together when the image is opened. All that's needed is a webpage with a JavaScript and an image tag to load the malicious pixel. After the image is rendered on the browser the JavaScript can access the hidden content inside the image. Finally, the PowerShell interpreter gets to the end and the script runs.
   Â
Another case had hackers using Twitter as a C2 to send code by malicious images packed with code for malware hosted on a device. Stegware can be used as a command-and-control; where an hacker hides a command inside an image using steganography. First, they create a tweet and include that image along with a specific hashtag and send it off. In the meantime, malware running on the infected device is trolling Twitter for tweets with the specific hashtag. When the tweet arrives, the malware is able extract the image and then decode the steganography and run the code. In this case, images and Twitter traffic don't appear suspicious, which makes detecting it a difficult task. Steganography isn't limited to images, but can also employ a host of file types such as video, audio and even text when converted into hexadecimal format.
   Â
Guarding against such attacks is difficult requiring companies to adopt measures to wash images or employing tools and services that can detect the use of steganography where normal anti-virus software has a difficult time.