/steg-in-the-wild

A list of attacks or malware using steganography or information hiding

steg-in-the-wild

A list of attacks and malware using steganography or information hiding.

Image Attacks

Audio Attacks

  • XMRig Monero CPU Miner: malware loader is obfuscated in different parts of a WAV file (e.g., econded in least significative bits)

Network Attacks

  • Sunburst: data is hidden in HTTP conversations and commands are extracted via regexp scanning bodies of HTTP responses
  • Okrum and Ketrican: C&C communications are hidden in HTTP traffic, i.e., in Set-Cookie and Cookie headers of HTTP requests
  • DarkHydrus: it uses DNS tunneling to transfer information, which is a technique observed in the past also in Morto and Feederbot malware
  • Steganography in contemporary cyberattacks: a general review including Backdoor.Win32.Denis hiding data in a DNS tunnel for C&C communications
  • ChChes: the malware uses Cookie headers of HTTP for C&C communications
  • NanoLocker: the ransomware hide data in ICMP packets
  • FAKEM RAT: C&C communications are camouflaged in Yahoo! Messenger and MSN Messenger as well as HTTP (strictly not network steganography!)

Text Attacks

  • Maldoc targeting Azerbaijan: a .doc document written in Azerbaijani contains an obfuscated macro and extract a copy of FairFax (i.e., a .NET RAT)
  • PHP Malware: a payload (Web Shell) has been found encoded in whitespaces of a license.php file via a publicly available proof-of-concept text steganography method
  • Astaroth: the description of YouTube channels hides the URL of command and control servers.
  • Platinum APT: C&C data is hidden in the order of HTML attributes and its encryption key in spaces among HTML tags

Related Papers


Acknowledgements

This work was supported by the Horizon 2020 Program through SIMARGL H2020-SU-ICT-01-2018, Grant Agreement No. 833042.