Encouraged
by patterns carried out on a larger scale recently, researchers believe digital
steganography has arrived as a legitimate method for attackers to use when it
comes to obscuring communication between command and control servers.
In
a presentation last week at Black Hat Europe researchers with Crowdstrike and
Dell SecureWorks cited a handful of campaigns that depend on steganography that
have flourished lately.
Steganography,
or the art of hiding information inside media, isn’t a particularly new
concept, but the researchers claim that malware programmers and operators
appear taken with the technique as of late.
Pierre-Marc
Bureau, a senior security researcher at Dell SecureWorks and Dr. Christian
Dietrich, a senior researcher with Crowdstrike, say one of the most recent
examples can be found in an instance of “Foreign,” a DDoS tool the two looked
at recently which relies on messages hidden in HTTP error messages. The tool
parses the page, which appears to be a generic 404 page at first glance, but
actually contains a C2 command, hidden from the human eye.
The
command – encoded using Base64 and stored between HTML comment tags – prompts
the bot to download a file from a given URL.
The
tool is the latest entry to a growing field of malware that excels at
communicating via a stealthy C2 channel.
Again,
Bureau and Dietrich insist the technique as a whole isn’t new, but that the
method has grown more sophisticated lately. The two also discussed how three
malware families – Lurk, Gozi, and Stegoloader – have also leveraged the
technique over the past several years.
Lurk,
malware that downloads click fraud malware, was spotted in 2014 hiding the URL
where it grabs content from in a .BMP image. Gozi, known for perpetrating bank
fraud, began using steganography at the beginning of this year “as a backup
mechanism to retrieve URLs where it could download its configuration file.” The
malware encrypts information in a favicon.ico file hosted on TOR.
Researchers
with SecureWorks first described the Stegoloader malware, which operates in a
similar fashion to Lurk, earlier this year. The malware relies on a deployment
module that grabs a PNG file that contains malware. Once dropped, the malware
is mostly used to steal system information but can also be used to load
additional modules that access documents, list installed programs, steal
browser history, and drop more malware that steals passwords, Pony.
"Distrust
and caution are the parents of security" - Benjamin Franklin
0 comments:
Post a Comment