Image Steganography Example: How I Created an Attack

May 19, 2020

A cyber attack using image steganography techniques refers to the practice of cybercriminals hiding malicious code within an innocent-looking image file. For example, a standard JPEG photo contains several megabytes of pixel data, allowing an attacker to alter several of the pixels to embed malicious code. The changes are so subtle that human eyesight cannot detect them, and it would be very time consuming for machines to scan every image for hidden data, especially when the threat is unknown so the machines do not know what they should be searching for. Like all malware, image steganography can be used to hide the payload within the code itself or the code can call additional code or executables associated with attacks. See our previous post for more details about image steganography threats, including its history and examples.

Image steganography attacks are extremely easy to implement with DIY toolkits widely available online, and hundreds of free apps on the market. Anyone with malicious intent has the potential to abuse image steganography and cause much damage to a target. Let’s explore how simple it is to hide text in image using steganography.

Step 1: Determine target and payload

An attacker goes through a multi-step process when creating a steganography technique. They must set their sights on a specific company, select a specific target at that company, research the access available to that target, and determine how exactly the hack should take place. The payload must also be determined: what do they want the steganography technique to accomplish? Do they want to take control of the target’s machine or quietly extract information?

Step 2: Alter an image

As a steganography example, take a standard, innocent-looking image, and alter a number of its pixels to embed hidden messages or files inside of the image.

To do this, install a tool called Steghide on the machine. Run a number of commands to copy an image file (Kids_On_The_Beach_STEG.jpg) into the root of the Directory, as well as the text file that should be embedded into that particular image (HighlyClassified.txt). Confirm the two files reside in the same folder.

Steghide Run Command image for Image Steganography post.

Then, leverage Steghide to hide the text file in the image using steganography.

Steghide example for Image Steganography blog post.

Take the altered file that is now created and rename it (Kids_On_The_Beach_STEG_EMBEDDED.jpg). Verify that the two files are completely different by running a Get Hash value command using Powershell on each file, showing two totally different hash values.

Image Steganography example showing get Hash value command using Powershell

Step 3: Extract the malicious code

Using Steghide, run a command to extract the embedded data to a separate file (HighlyClassified_EXT.txt).

Steghide run command to extract embedded data to a separate file.

Once the file is extracted, hackers can execute the payload and cause damage to the target. By hiding the payload within an image file, image steganography techniques can easily evade standard anti-malware and APT tools, which are not designed to detect this type of malware.

Avoid image steganography attacks

Votiro’s Content, Disarm and Reconstruction (CDR) technology can overcome image steganography challenges as it neutralizes all external malicious content threats – including undisclosed and zero-day exploits. CDR technology recreates the received image file (Kids_On_The_Beach_STEG_EMBEDDED.jpg) with only the vendor-approved components of the file included. This means that any malware, malicious macro, or other threat that has been embedded or encrypted in the file is left behind, and the file that is delivered to its end destination arrives with full functionality and full security.

Votiro Sanitizing an Image Steganography File

The below shows the file on Votiro’s platform.

Image Steganography Threat on Votiro Platform

Note that even though the technology did not recognize any known threat, it still sanitized the file. This meticulousness is the reason why Votiro has not experienced a single breach across more than 500 customers and billions of files.

The sanitized file is then reconstructed while preserving the integrity and functionality of the original file. The two images look exactly alike; the only difference is that the malicious code has been removed. To verify, run the Steghide process for extracting the content.

Steghide was unable to extract the malicious text because that content no longer exists

Steghide was unable to extract the malicious text because that content no longer exists thanks to Votiro’s Advanced CDR technology, which has the ability to neutralize the malicious data hiding in image steganography files.