Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Стеганография
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Стеганография
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Obfuscated Files or Information:  Стеганография

ID Название
.001 Добавление в бинарный файл незначащих данных
.002 Упаковка ПО
.003 Стеганография
.004 Компиляция после доставки
.005 Удаление индикаторов компрометации из вредоносных инструментов
.006 Скрытая передача через HTML
.007 Динамическое разрешение API
.008 Перевод полезных нагрузок в трудночитаемый формат
.009 Встроенные полезные нагрузки
.010 Command Obfuscation
.011 Fileless Storage
.012 LNK Icon Smuggling
.013 Encrypted/Encoded File
.014 Polymorphic Code
.015 Compression
.016 Junk Code Insertion
.017 SVG Smuggling

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files. Duqu was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) By the end of 2017, a threat group used Invoke-PSImage to hide PowerShell commands in an image file (.png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)

ID: T1027.003
Относится к технике:  T1027
Тактика(-и): Defense Evasion
Платформы: Linux, Windows, macOS
Источники данных: File: File Metadata
Версия: 1.2
Дата создания: 05 Feb 2020
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
PowerDuke

PowerDuke uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA).(Citation: Volexity PowerDuke November 2016)

Pikabot

Pikabot loads a set of PNG images stored in the malware's resources section (RCDATA), each with an encrypted section containing portions of the core Pikabot core module. These sections are loaded and decrypted using a bitwise XOR operation with a hardcoded 32 bit key.(Citation: Zscaler Pikabot 2023)
Avenger

Avenger can extract backdoor malware from downloaded images.(Citation: Trend Micro Tick November 2019)
PolyglotDuke

PolyglotDuke can use steganography to hide C2 information in images.(Citation: ESET Dukes October 2019)
RegDuke

RegDuke can hide data in images, including use of the Least Significant Bit (LSB).(Citation: ESET Dukes October 2019)
ProLock

ProLock can use .jpg and .bmp files to store its payload.(Citation: Group IB Ransomware September 2020)
RDAT

RDAT can also embed data within a BMP image prior to exfiltration.(Citation: Unit42 RDAT July 2020)

Okrum

Okrum's payload is encrypted and embedded within its loader, or within a legitimate PNG file.(Citation: ESET Okrum July 2019)
Diavol

Diavol has obfuscated its main code routines within bitmap images as part of its anti-analysis techniques.(Citation: Fortinet Diavol July 2021)

Raindrop

Raindrop used steganography to locate the start of its encoded payload within legitimate 7-Zip code.(Citation: Symantec RAINDROP January 2021)
IcedID

IcedID has embedded binaries within RC4 encrypted .png files.(Citation: Juniper IcedID June 2020)
ObliqueRAT

ObliqueRAT can hide its payload in BMP images hosted on compromised websites.(Citation: Talos Oblique RAT March 2021)
Bandook

Bandook has used .PNG images within a zip file to build the executable. (Citation: CheckPoint Bandook Nov 2020)
LiteDuke

LiteDuke has used image files to hide its loader component.(Citation: ESET Dukes October 2019)
ABK

ABK can extract a malicious Portable Executable (PE) from a photo.(Citation: Trend Micro Tick November 2019)
Invoke-PSImage

Invoke-PSImage can be used to embed a PowerShell script within the pixels of a PNG file.(Citation: GitHub Invoke-PSImage)
Ramsay

Ramsay has PE data embedded within JPEG files contained within Word documents.(Citation: Antiy CERT Ramsay April 2020)
build_downer

build_downer can extract malware from a downloaded JPEG.(Citation: Trend Micro Tick November 2019)
BBK

BBK can extract a malicious Portable Executable (PE) from a photo.(Citation: Trend Micro Tick November 2019)
Tropic Trooper

Tropic Trooper has used JPG files with encrypted payloads to mask their backdoor routines and evade detection.(Citation: TrendMicro Tropic Trooper May 2020)
MuddyWater

MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.(Citation: ClearSky MuddyWater Nov 2018)
Leviathan

Leviathan has used steganography to hide stolen data inside other files stored on Github.(Citation: CISA AA21-200A APT40 July 2021)
BRONZE BUTLER

BRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads.(Citation: Trend Micro Tick November 2019)
APT37

APT37 uses steganography to send images to users that are embedded with shellcode.(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)
Andariel

Andariel has hidden malicious executables within PNG files.(Citation: MalwareBytes Lazarus-Andariel Conceals Code April 2021)(Citation: Kaspersky Andariel Ransomware June 2021)
TA551

TA551 has hidden encoded data for malware DLLs in a PNG.(Citation: Unit 42 TA551 Jan 2021)
Earth Lusca

Earth Lusca has used steganography to hide shellcode in a BMP image file.(Citation: TrendMicro EarthLusca 2022)

Обнаружение

Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings or other signatures left in system artifacts related to decoding steganography.

Ссылки

  1. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
  2. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  3. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  4. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved November 17, 2024.
  5. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  6. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  7. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  8. Park, S. (2021, June 15). Andariel evolves to target South Korea with ransomware. Retrieved September 29, 2021.
  9. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  10. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  11. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
  12. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  13. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  14. Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018.
  15. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  16. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  17. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  18. Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024.
  19. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  20. Adams, B. (2017, December 17). Invoke-PSImage. Retrieved April 10, 2018.
  21. Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018.
  22. Jazi, H. (2021, April 19). Lazarus APT conceals malicious code within BMP image to drop its RAT . Retrieved September 29, 2021.
  23. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  24. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  25. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  26. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.