What is Steganography in Cybersecurity? Detecting Hidden Malware

Steganography involves the purposeful concealment of information. While steganography can have different uses in cybersecurity, many of which are not harmful, it can also often be used by threat actors who hide malicious content within files that otherwise seem safe (such as text or images). This sometimes occurs as part of a larger attack, and it can often be difficult to spot.

In this guide, we’ll go over the different types of steganography in cybersecurity, how it works, examples, how to detect and prevent it on your website, and more.

What are the 5 types of steganography?

Steganography is an incredibly versatile strategy that takes numerous forms. Which type largely depends on the threat actor's goals and whether this behavior is related to a larger attack. Despite its far-reaching nature, these tactics tend to fall within a few main categories:

1. Text steganography

Meant to conceal messages within text, this common form of steganography may involve purposeful typos or even punctuation that encodes information. A common example? Secret information hidden within large amounts of seemingly blank space at the end of a text string.

2. Image steganography

This increasingly common steganography tactic occurs when messages are embedded within digital images. The image selected for the purposes of steganography is known as the cover image, while the version containing a concealed message may be referred to as the stego image.

This steganography strategy is difficult to pinpoint, in part because the human eye is bad at distinguishing minor changes involving image noise or color. The practice of hiding secret data in images is primarily accomplished using a method known as “least significant bit," in which each pixel's smallest and easiest-to-miss parts are replaced with bits from the hidden information.

3. Audio steganography

Frequencies, amplitudes, and many other audio properties can be modified to encode hidden messages. Since the human ear can only hear sound at certain frequencies, data can be transmitted at imperceptible ranges that can be detected by listening devices such as smart speakers and mobile phones.

Audio-based steganography calls for a highly nuanced approach, as messages that are excessive in length may distort the sound of the cover audio, thereby making the concealment easier to detect. For this reason, it is common practice to pair this approach with a stream cipher (involving bit-by-bit encryption) before the message is embedded.

4. Video steganography

As a sophisticated version of image steganography, the video-oriented version involves hidden data within video frames. This strategy largely relies on pixel value modification (resembling the aforementioned “least significant bit” method) to obfuscate data.

A 2023 report published in Multimedia Tools and Applications warns that this method will become far more common in years to come, as "the features of video sequences including high capacity as well as complex structure make them more preferable for choosing as cover media over other media such as image, text, or audio."

5. Network or protocol steganography

Network packet payloads can be used to sneak data and information past computer systems and software. The main goal is to make covert communication more difficult to detect. As the International Journal of Innovative Research in Technology points out, network protocol steganography relies on the "reserved and unused bits of the protocol fields and header fields" as well as covert channels such as storage and timing channels.

Difference between steganography vs. cryptography

Steganography and cryptography are very different, but there are some similarities that can lead to confusion. Cryptography centers around an encoding and decoding process that involves cryptographic keys. Meanwhile, steganography aims to hide a particular message within content rather than strictly encoding it.

Essentially, while the content is concealed (and thus no one knows it is there) with steganography, with cryptography the content is in an unreadable format (but one does know it is there).

How steganography works

The concept of steganography may seem simple, but putting this into place calls for extensive technical skills. From the hacker's perspective, this process begins with concealing malicious payloads while embedding malware within innocent-looking files. For example, malware could potentially be embedded within CSS files. Likewise, malicious code can be embedded within pixel data.

With malicious steganography, the other major goal is to avoid detection. Hackers must bypass a variety of security measures, such as VPNs.

A central use of modern malicious steganography: data exfiltration, in which malicious players complete unauthorized transfers of data. By utilizing steganography techniques, bad actors can hide sensitive information within seemingly ordinary files, which they can then disseminate.

Examples of steganography

Steganography has started to receive a lot more attention from cybersecurity professionals, business leaders, and even ordinary individuals. Here are common forms of steganography to know:

• Least significant bit (LSB). As a simple method designed to embed data within image files, LSB involves the last bit of the pixel, which can be modified so that the data bit from the secret message is included.
• Bit-plane complexity segmentation (BPCS). Another common strategy for hiding data within image files, BPCS overcomes many of the weaknesses of LSB, such as issues with compression. With BPCS, one hides the secret data within the complex regions of an image. The complex regions appear as noise to humans; thus, it is possible to alter as much as 50 percent of the image before the changes are perceptible to the human eye.
• Frequency manipulation. This tactic involves hiding the data in frequency ranges that are inaudible to humans.

High-profile incidents

While the insidious nature of steganography means that successful attacks regularly take place without attracting any significant attention, there have been many high-profile situations over the years. A few notable examples include:

• In 2022, hackers spread malware to several Middle Eastern governments through an image of the old Microsoft Windows logo. The image was hosted on the popular file repository site Github, where users downloaded the file without knowing it was infected with malware.
• Russian cybercriminals used WAV files to install backdoor crypto-mining software onto infected computers. These sound files did not have any noticeable audio glitches or any other sign that they were part of an elaborate steganography scheme.
• The US Department of Justice broke up a Russian spy ring that used hidden messages embedded within images on public websites to communicate back and forth in secret. These messages were used to plan meetups as well as pickups for cash and computers used in the scheme.

Implications and consequences

Steganography is uniquely dangerous because it is so difficult to detect and understand. Unfortunately, today's most sophisticated malicious steganography tactics can bypass some of our strongest security frameworks.

The implications of this increasingly prevalent threat cannot be overstated. Malware spread through steganography can have wide-ranging and long-lasting impacts on businesses, as well as their employees and customers. Financial losses stem from the stolen data and lost productivity. This can also cause dramatic damage to brand reputation, especially if businesses are unable to promptly bring attacks to an end.

In light of these risks, advanced and comprehensive cybersecurity strategies are more important than ever. Businesses require proactive solutions that allow them to stop steganographic attacks and other operations in their tracks — or, at least, to mitigate these situations more efficiently and effectively.

Detecting steganography

When steganography is built into attacks, swift detection becomes all the more important given the covert nature of this strategy. While this is challenging, it's certainly not impossible. From visual analysis to automated tools, there are many opportunities to detect steganography — and new solutions are consistently being developed or uncovered.

Common detection techniques

There are a few tried-and-true methods for detecting steganographic techniques in media files. The main approach involves manually inspecting the file for common warning signs. For example, steganography is more likely at play if the file size of a basic image seems abnormally large.

Text files can be inspected by looking for any unfamiliar patterns of characters or an abnormal amount of blank space in the document. In most cases, however, these basic strategies will not be sufficient for uncovering today's more advanced steganographic techniques.

Audio steganography can be detected using software that can focus on specific frequency ranges. Once these ranges are scrutinized, it may quickly become apparent that a hidden message is being broadcasted at a frequency outside the range humans can hear.

Signature-based detection is a well-known and consistently reliable strategy that involves examining network traffic before comparing and contrasting it against known signatures. If anything resembles known attacks, it can be flagged, and often, avoided altogether.

Advanced detection methods

Steganalysis aims to upend steganography schemes by detecting and extracting hidden data. Common steganalysis tools and techniques include:

• Format analysis centered around the metadata and internal structures of specific files
• Statistical analyses that dive into file properties to reveal deviations or anomalies

With advancements in artificial intelligence and machine learning coming at a rapid pace, information security experts are hoping it can help in the fight against covert communications. As these AI systems learn, they will hypothetically be able to detect hidden information in audio, video, and text files. Unfortunately, the flip side of this scenario could result in AI that is smart enough to produce steganographic files itself.

Best practices for website owners

As the scope of cybercrime continues to expand, it will be more vital than ever that baseline protection is provided, plus opportunities to mitigate attacks quickly. Essential steps include:

• Routine cybersecurity audits can give owners an idea of the strengths and weaknesses of their IT security setup.
• Malware scans are crucial and, if malware is found, prompt cleanup and mitigation must occur. Malware removal solutions should be dispatched immediately — before the infection spreads.
• Intrusion detection systems should be in place to monitor network traffic for anything out of the ordinary.
• Educating users on what steganography is and how it can be used in cyberattacks will give them an added level of caution when downloading files or viewing sites.
• Regularly backing up data — both to a cloud service provider and to physical, off-network hard drives — can act as a valuable safeguard if data is corrupted or stolen.

Preventing steganographic cyberattacks

Steganographic attacks are as difficult to prevent as they are to detect, but a proactive approach is always preferable. With a properly educated workforce, along with the most up-to-date tools and software available, these hidden data attacks can be kept at bay.

Strengthening security measures

A layered and comprehensive approach to security is crucial, especially given the far-reaching nature of modern steganography. Keeping virus and malware detection software up-to-date with the latest patches and virus definitions will ensure that networks remain up to speed.

Employee training

Chances are, most employees know little about steganography. If properly trained, however, they can be one of the most powerful lines of defense against these attacks. For example, if users know that a seemingly harmless-looking JPEG image could contain malicious code, they’ll think twice before downloading it.

Network traffic monitoring

By gathering and analyzing both incoming and outgoing traffic, it's easier to recognize when abnormalities exist. If a large image file is detected making its way through the network, it could have hidden data embedded in it. In this situation, it would be preferable to find and inspect this potential file before it can potentially cause damage.

Partner with SiteLock for all your website security needs

As cyber threats grow increasingly common and increasingly sophisticated, there is an urgent need for comprehensive security strategies that address the full range of risks.

A proactive approach is essential for all businesses. Thankfully, you can cover your bases with help from SiteLock. Our plans provide powerful peace of mind through daily scanning, automatic malware removal, and backup services. Reach out to learn more about our solutions.

Image by Pexels from Pixabay