How Hackers use Image Steganography to Hide Malware and What You can Do to Stop Them

May 11, 2020

Cybersecurity demands constant vigilance; hackers are constantly expanding their arsenal of threats and are even revitalizing old attack methods. One old-school threat that has reappeared in a more sophisticated form is image steganography.

What is image steganography?

Image steganography refers to the practice of hiding code within an innocent-looking image. Cybercriminals have harnessed this effective method for hiding information in plain sight, both because cybersecurity experts may overlook this old trick and because it is easy to convince users to open images without prompting suspicion. Hackers may utilize legitimate services, such as free image hosting services, to ensure their malware is spread to as many users as possible. In fact, in 2017, security researchers reported a 600% increase in image steganography attacks.

How can malware hide in image steganography?

It is not difficult for a hacker to conceal malicious code in digital content. For example, a standard JPEG photo contains several megabytes of pixel data, allowing an attacker to alter several of the pixels to embed malicious code. The color value differences between altered and unaltered pixels are subtle enough that human eyesight cannot detect them, and it would be very time consuming for machines to scan every image for hidden data, especially when the threat is unknown.

Like all malware, image steganography can be used to hide the payload within the code itself or the code can call additional code or executables associated with attacks.

One downside of steganography is that its limited delivery mechanism translates into low frequency, and therefore cannot achieve the high volumes that cybercriminals traditionally prefer. However, image steganography toolkits are widely available, with hundreds of free apps on the market. These tools are extremely easy to use—some are even drag and drop—with no code necessary. This means that any amateur with malicious intent has the potential to abuse image steganography.

History of Steganography

The word steganography has its origins in the Greek word “steganos,” which means secret or hidden, and “graphy,” which means writing or drawing. Steganography uses hidden writing techniques to pass information secretly.

While the terminology was first introduced in 1499, the concept is even older. Romans were known to tattoo a message on a slave’s scalp and dispatch him on a mission once his hair grew back. The receiver would shave the slave’s head again and read the message. A bit less gruesome example of steganography is when Da Vinci would regularly embed a secret meaning into his paintings.

Digital image steganography began in 1985 with the arrival of personal computers, and since then attackers have recognized the possibility of using the ancient technique of steganography to carry out malicious activity. The first known use of image steganography in a cyberattack was in 2011 with the Duqu malware, where data was encrypted and embedded into a simple JPEG file with the goal of gathering information from a victim’s system. In 2014, the Zeus banking Trojan (ZeusVM) used image steganography to hide commands it sent to infected systems, and Lurk ransomware delivered an encrypted URL hidden in a white BMP image file, which downloaded a second payload when decrypted.

Steganography image
An example of an image ZeusVM used as a decoy to retrieve its configuration file.


More recently, image steganography has been used by the Sundown Exploit Kit, the new Vawtrak to hide code in favicons, the Stegoloader/Gatak backdoor Trojan, and Stegano to hide malicious code in advertising banner images that appeared on legitimate websites.

Steganography image
Stegoloader/Gatak’s downloaded image file including hidden data.


A malvertising ad directing to the Stegano exploit kit.

Example of an image steganography attack: LokiBot

TrendMicro describes how the LokiBot malware uses steganography

to hide its malicious files. The malware installs itself as two files: a .jpg file and a .exe file. The .jpg file opens, unlocking data that LokiBot needs when implemented. The malware places the image and the .exe file into a directory that it creates, along with a Visual Basic script file that runs the LokiBot file. The script uses a decryption algorithm to extract the encrypted code from the image, enabling the VBScript file interpreter to execute the malware. This enables the hackers to change the script or the execution technique at any time.

Image steganography containing data that LokiBot references in its unpacking routine
Steganography image containing data that LokiBot references in its unpacking routine

Image steganography detection

Image steganography techniques often make the most minute modifications to the image files, enabling them to evade standard anti-malware and APT tools, which are not designed to detect this type of malware. McAfee says, “Steganography in cyber attacks is easy to implement and enormously tough to detect, so cyber criminals are shifting towards this technique.” Kaspersky Lab security researchers agree, saying, “Most modern anti-malware solutions provide little, if any, protection from steganography. As a result, any ‘carrier’ such as a digital image or a video file that can be used to conceal stolen data, or communications between a malware program and a command and control server, poses a potential threat.”

One of the reasons steganographic attacks are so difficult to uncover is because they arrive as zero-day threats, making detection difficult for antivirus and next-gen antivirus tools that rely on threat intelligence and signature databases. Today’s purpose-built steganography detection programs are proof-of-concept, and are known to be slow and have relatively low detection rates, rendering them unfit for commercial security tools currently on the market.

The best way to prevent image steganography challenges: CDR

Votiro’s Content, Disarm and Reconstruction (CDR) technology can overcome image steganography challenges as it neutralizes all external malicious content threats, including undisclosed and zero-day exploits. CDR technology breaks the file down into its basic objects and reconstructs only the file’s vendor-approved objects. This ensures that each individual section and metadata is fully cleansed of any threat, and all macros and malicious code have been removed. All this is done in micro-seconds, with no obstruction to the user, and the reconstructed and sanitized file preserves the integrity and functionality of the original file, combining the highest levels of security and productivity.

See our next blog for a step-by-step demonstration of how an image steganography threat is constructed and executed.