There’s nothing new about hiding malware in an image. Once hackers learned that image files could mask malware, they began using them. The name given for hiding a file in a file is steganography. It’s always been a sneaky way to avoid detection because the average user believes pictures are innocent; that pictures are pictures and nothing more. But, as I showed in a post on how terrorists communicate, I was able to use a free steganography program to hide an image in an image. For this purpose I needed a BMP file. It is relatively simple to convert any JPG file into a BMP file. Below, you will see two photos that look identical. The file on the left is the original BMP file and the one on the right is the same file with another file hidden within it. (BMP files are not allowed on WordPress so these are in JPG format here.)
It may seem difficult to believe but the file on the right has the image below hidden within it. In fact, I could have hidden any type of digital file within it.
Now, all of this is dangerous enough, but a new malware attack just appearing in South Asia is taking this idea a step further. And, as usual, it all begins with a phishing email that has an attached Word document.
These phishing emails appear to be targeting corporate executives and government agencies. The original ObliqueRAT malware was first detected a year ago and made use of Word document attachments a little differently from the newer version of this malware. However, it could still be using the original attack vector on some enterprises. In these attacks, the attached Word document seems valid with a relevant title. It is possible that the criminals have obtained a list of common Word attachments received by those they target and are simply emulating these. Within the accompanying emails is a password to use for opening the attached document. This might make a victim more likely to think the document is legitimate.
Typing in the password, however, releases the malware, which then establishes itself in the startup procedure so that it will appear with every reboot. Upon reboot, the malware insures that no other instance of the malware is running and then begins to gather information on the infected device. It sends this information back to the C2 in this format.
The attackers have probably done an initial scan of the network and determined which computers it did not want to infect. There is no clear reason why it does this but it might have already determined that some computers contained sandboxes or specific antivirus protection or were previously infected. When all is well, the C2 sends back a command, in effect, telling the malware what it needs to do.
It is not clear who is behind this new attack but the original attack was believed to be organized by a Pakistani hacking group know as Transparent Tribe. Transparent Tribe is believed to have links to the Pakistani government. If this is true, then they have the funding necessary to organize more sophisticated attacks than most hacking groups.
The upgrade to ObliqueRAT is now making use of image files, but not as attachments. The attachments continue to be valid looking Word documents but clicking on them will take the victim to a compromised website that contains a BMP image. The malware seeks out the BMP file when the victim is directed to the page and extracts a zip file hidden within that image. It then downloads, and opens the file. Once the zip file is opened, the malware is released. Here is how the Cisco Talos research team depicts the attack.
The problem with steganography is that it is very difficult to detect. Your browser is not going to warn you that an image on a site you navigated to may contain malicious code. I’m not saying building such a browser is impossible, but, even if some sort of steganalysis add-on was included in a browser, it would slow browsing to a crawl, as each image on a page would have to undergo an analysis of its underlying code to see if there were inconsistencies that indicated the image may have been manipulated. However, false positives would likely occur and trigger a message of the page being unsafe, causing even more confusion.
Another attractive attribute of steganography, at least for hackers, is that it is so easy to use. There are a number of online sites and tools that will allow you to put just about any digital file into another. Sound files can be hidden in pictures, pictures could be hidden in sound files, text messages could be hidden in either and could easily be used to convey secret plans to another person. There is, however, no universal decryptor. You can’t send an encoded message in an image to someone unless they are using the same software to decode it, since every steganography program has its own encryption-decryption algorithm.
As the graph below shows, there has been a steady rise in steganography-based attacks in recent years likely due to the ease of using this vector and the difficulty in detecting its use.
ObliqueRAT’s use of website images to trigger malware is a novel and extremely dangerous vector that has yet to be fully utilized by bad actors. The attack now seems concentrated in South Asia, especially India, but I have no doubt that other major threat actors will find this vector useful in their future attacks. Nation-states will certainly use this approach to penetrate corporate and government networks by compromising endpoints. At the moment, the best protection against a steganography attack is state-of- the-art endpoint protection that puts a hardware barrier between the endpoint and the network it is connected to. (see Inzero Technologies).
The Cisco Talos team points out a possible connection to RevengeRAT which is operated by Iranian hackers. This may be only the beginning. There is no reason to believe that only executives need to worry since good hackers can penetrate a network through any endpoint. This attack vector can be thwarted by being careful of apparent Word document attachments, even those which come with passwords and seem to come from valid, trusted sources. You can always download the file and then let a virus detection site, such as Virus Total, open it for you. Just don’t click on the downloaded file. On the virus detection site, you will be given the option of uploading the file. The results should give you an indication of how clean the document is. If the attached document seems to come from someone you know, it doesn’t hurt to give them a call and confirm they sent you a file.
And remember. Pictures aren’t innocent. Take the same precautions if you are sent pictures or photos as attachments because sometimes photos may come with a lot more than just memories.