Steganography: How Hackers Hide Malware with Images and Social Media Icons

The reason hackers and cybercriminals are so successful is that they continue to evolve and find new ways to trick, deceive, and defraud the public. One way is through image steganography hiding malware or other malicious code inside images or social media icons.

What is Image Steganography?

Image steganography is when someone hides malicious code within an otherwise innocent image file. It is a clever but devious way of hiding in plain sight, and unfortunately, it is incredibly hard for anti-malware software to detect, which is why more hackers are using this method.

Scammers infect images hosted on free services to legitimatize the photos and make the victim feel comfortable opening the files. The use of image Steganography has increased by 600% in recent years.

How Does Hiding Code Inside an Image Work?

It’s actually pretty easy for hackers to hide undetected code within an image file. A standard image file contains quite a few megabytes of data that construct the image on a screen. That makes it easy for someone to replace only a few pixels (which won’t alter the image to the human eye) but when the user clicks, the code will initiate a process usually infecting their device.

Sometimes the code simply calls another process from a remote server that delivers the payload. Sometimes, the code itself is enough to infect the computer and render the victim helpless. The simplicity makes it easy to use but limited in terms of volume. Hackers typically like to attack as many victims as possible at once.

Some image steganography kits are available on the dark web where novice hackers don’t even need to code anything themselves, just drag and drop to start waging their own attack campaign.

Recent Attacks/Usage

Recently cybercriminals used code hidden in favicons to install a backdoor Trojan in advertising banners on legitimate websites. 

TrendMicro reported that hackers used Lokibot and image steganography to attack victims by stealing information for identity theft and keylogging their PINs and passwords. LokiBot uses two files. The first is a jpg file, which then initiates an exe file, which then runs a Visual Basic script, and from there, the damage begins.

Threatpost talked about incidents last week where cybercriminals were hiding credit card skimmer malware within social media buttons. These icons were uploaded and replaced valid images on legitimate online storefronts. Since these images appeared on pages where shopping cart data was entered, it was easy for the code to harvest names, addresses, credit card numbers, PINs, and more just by infecting the page. In this particular case, hackers took the time to make the buttons look as high-quality and legitimate as possible to evade detection. They even took the time to name the files convincingly (e.g., facebook_full, google_full, etc.) Sansec security posted this about the incident: 

“While skimmers have added their malicious payload to benign files like images in the past, this is the first time that malicious code has been constructed as a perfectly valid image. The malicious payload assumes the form of an HTML <svg> element, using the <path> element as a container for the payload. The payload itself is concealed utilizing syntax that strongly resembles correct use of the <svg> element.”

Alarmingly, victims don’t even have to click the buttons for this scam to work. They only have to make a purchase online at one of the compromised websites, and their data is stolen. 

Hard to Detect

This type of deception is so minimalistic that cybersecurity experts often overlook it, and most malware software solutions miss it also. 

McAfee commented that “Steganography in cyber attacks is easy to implement and enormously tough to detect, so cybercriminals are shifting towards this technique.”

Kaspersky Labs added, “Most modern anti-malware solutions provide little if any, protection from steganography. As a result, any ‘carrier’ such as a digital image or a video file that can be used to conceal stolen data, or communications between a malware program and a command and control server, poses a potential threat.”

How to Prevent Being Scammed By Image Steganography?

Although there is no way to be 100% safe against this type of attack, you can do a few things.

• Never pay online using a credit card; use a digital wallet like PayPal, Google Pay, or ApplePay instead.
• Never click on images if you don’t know they are safe.
• Only purchase on websites with a secure encrypted connection.
• Purchase from trusted merchants only.
• Never click ads on social media or links contained in the email.
• Keep all your devices updated with the latest security patches.
• Install and run deep scans, often using good anti-malware/antivirus software.

Always be on the lookout for fraud, identity theft, and malicious activity.