Remember using invisible ink as a kid to share top secret messages with your friends? Apparently, hackers remember, too, and they’re using a similar technique to hide malware. The recent VeryMal malvertising campaign, which popped up in major advertising networks in January, is a prime example.
Using a technique called steganography, a malicious payload is hidden in an image file. The image looks like a simple white rectangle, but the payload hidden inside adds parameters to a URL that tricks Apple users into installing a bogus software update for Adobe Flash. When this happens, VeryMal expands its malicious advertising campaign to reach more people – as many as 5 million per day, according to some estimates. Most antimalware engines have been unable to detect the VeryMal payload because of the way it’s being concealed.
Steganography is the process of hiding a message or data within a non-secret file so it can be extracted when it reaches its destination. The hidden content could be anything – text, image, video, audio, code, the identities of parties attempting to communicate, etc. Steganography is not a new technique for concealing information, and it has perfectly legitimate uses. Publishers often use a form of steganography to prevent their media files from being shared without permission.
However, when that hidden message is malware, ransomware or an exploit kit, you have a very dangerous technique for concealing and delivering malicious content and avoiding detection. Once that content has slipped past security software, hackers often try to fool users by mimicking legitimate programs, as VeryMal did with Adobe Flash.
Because encrypted malware is becoming easier to detect, many hackers are moving away from cryptography in favor of steganography, which has been called the digital equivalent of invisible ink. Steganography makes it possible for malware to blend into its surroundings and bypass security software to get to its target, where it can then be executed. The ability to fly under the radar by hiding malware in banner ads, text messages, images and other content has led to a spike in steganography attacks. In fact, researchers found that these attacks increased by 600 percent in 2017.
Oddly enough, at least one security tool was able to detect VeryMal. When users were prompted to install the bogus Adobe Flash update, they were alerted to a “potentially unwanted program.” Millions clicked anyway. Organizations need to do a better job of training employees to spot and report different types of threats.
Of course, relying solely on human beings to make good decisions is a flawed security strategy. Organizations need to regularly update security policies, make sure they have access to the latest threat intelligence, and deploy all patches and software updates as quickly as possible. They should also have a plan for inspecting and testing suspicious content in an isolated segment of the network to avoid compromising critical systems and data.
Is your organization prepared to detect and prevent steganography attacks? Let us help you implement the necessary tools and training and monitor network activity to minimize the risk of malware or a data breach.