Steganography Attacks: Understanding The Worlds Next Greatest Cyber Threat

On the eve of New Years 2018 I remember writing a threat analysis predicting the rise of weaponized Microsoft Word documents and PDF‘s for use in cyber-attacks around the world within the year and months to come, predictions which soon became reality – and it was no surprise. After-all, for whatever reason, in my particular line of work I happen to come across a lot of unique information and/or deal with many unique “characters” – both people and experiences few get the chance to see. Consequentially, this also happens to give me a unique perspective on “the news” and different “cyber trends” occurring around the world that few can appreciate or understand. It is for this reason that I write this article here today, describing what I think will surely become the worlds next most advanced and/or “infamous” cyber threat, campaign or strategy; Steganography attacks in the form of weaponized memes. More specifically, weaponized political memes.

The thing about it is though, I don’t exactly know when it will hit – though if I had a guess I would say some point in the month of May 2019, in the days/weeks leading up to the EU elections. If not then, they should certainly start hitting around December 2019 – January 2020, when the next US Presidential election/debate season is officially set to kick off. I say this because not only do I tend to have a nose for these sorts of things, but also because I’ve been talking with a large number of hackers recently whom have all begun developing Stegonography attacks of their own. One hacker for example, whom shall remain nameless, has actually invented a 0day for the Tor browser using these very strategies/techniques.

What is Steganography & Cryptography?

Steganography” may be simple for me or people whom regularly read my articles to understand, but truth be told it is a word/term so new that both WordPress and Microsoft Word don’t even recognize it as a real word. That’s how much of a 🤓 concept it really is. Put most simply, Steganography is a means of concealing a message, or in this case the source code of a file, within individual pixels found within an image. For example, the picture below is approximately 533 pixels wide x 366 pixels tall and somewhere encoded within all of those pixels you can most likely find a message 😉. I also use “Cicada 3301” as an example because, despite its relative ambiguity, it still remains perhaps the worlds most famous example of “Cryptography” and Steganography techniques in use today – the two techniques central in all the attacks described below.

Image result for cicada 3301 original

Getting back on point, truth be told, I actually point to an “anomaly” event which occurred just before Christmas 2018 as the base reason why I am writing this analysis here today. While the attack itself may have only lasted for a couple days, it has continued to stand out to me for many reasons ever since – even more so lately. For those of you whom might not remember or weren’t paying attention at the time, I am talking about the discovery/use of weaponized memes across social media/Twitter – a phenomenon which only struck for a brief time around mid-December 2018.

How The Attacks Works?

Regardless of the time frame, the attacks all seem to function in the same base manner, requiring only a click from the victim – which automatically uploads a .exe file containing a malware sample onto the hosts computer. To date, Rogue Security Labs has uncovered 3 different variants of these exploits/attacks. The first loads a “Remote Code Execution” (RCE) malware script allowing for remote takeover of the victims device, the second executes a “Remote Access Trojan” (RAT) directly onto the users device for future use and lastly, the 3rd variant simply installs a script allowing for screen shots to be taken/exported from the victims device at any time – theoretically allowing hackers to see anything the victim sees on their device, even if they cant access the devices other functions directly.

As researchers at Trend Micro were quick to point out in December, “the use of Twitter as a means to spread malicious code is nothing new.” For example, “cybercriminals have been embedding malicious code in image files, often distributing them in email malspam campaigns for nearly a decade.” What is new however is the fact that “this is the first instance to date that solely utilized memes for distabut, which are viral by nature,” thus reaching a greater number of people – especially on social media venues such as Twitter.

Learn More -Trend Micros’ Threat Report, Malware Laced Memes On Twitter 12/14/2018:

⚠️Consider Yourself Warned⚠️

It’s important to note that Steganography Attack variants have been found on both .JPEG and .PNG files, though they primarily appear to be executed via PNG files – which are generally larger in size and contain much more data, perhaps concealing the malicious payloads even better. But that is just a guess on my part. It’s also important  to understand that only a simple click of a picture is enough to trigger the malware payload, no direct download of the file/picture is required. I should also specify that simply just viewing an infected Tweet or seeing a malicious picture on your timeline is not enough to trigger the malware. Rather, the picture or Tweet containing the picture must be clicked on or engaged with directly first.

For the purposes of this article, it should also be noted that not only did these attacks leverage memes, but also weaponized versions of Taylor Swift pictures circulating online – theoretically making any picture on the web dangerous to internet users in the future. The interesting thing about it though, at least to me, was the fact that after the week of December 18th 2019, the attacks seemed to disappear from the internet almost entirely. At least until last month, that is.

Learn More – Trend Micro’s Investigation Into OceanLotus’s (APT32) Use of Steganography Attacks 4/02/2019:

Before moving forward you have to ask yourself the question, why do you think that is? If the attacks were so successful, why just abandon it/them entirely? Even Trend Micro eluded to this “paradox” by asking “still unknown is the identify the hackers including their intentions. However, researchers note there are some indications that this may have been an experiment.” This is a conclusion I’ve also independently arrived at.

As I maintain, the attacks of December 2018 were merely just a test run of sorts – in preparation for a much larger campaign/attack to be launched at some point in the future. Say for example around the 2019 EU elections next month or 2020 US Presidential elections next year, when internet traffic figures the world over are almost certain to skyrocket like they once did in 2015/2016? If I had any guess, I would almost certainly assume this to be the case, especially given all of the political/civil controversy elections naturally manifest, ultimately allowing internet trolls, memes and threat actors such as Russian propagandists to flourish.

How/Why Did I Arrive At That Conclusion?

Truth be told, I bring this up today because I keep hearing more and more rumblings about Steganography Attacks in under ground circles around the web. For example, just last month in March 2019 I made contact with a hacker actively engaged in a DarkNet Operation designed to trap pedophiles online. More specifically, their operation centers around loading a jail-bait picture impixelated with a RCE malware sample which automatically triggers/uploads anytime that photo is clicked – allowing for RCE of devices even when they are running through Tor. In essence, the hacker has actually developed a viable Tor 0Day – theoretically worth millions. The hacker in question has even sent me a video of the malware sample in action, validifying its effectiveness as a Proof-of-Concept (PoC).

Then, just last week, “CYB3R C0V3N SECURITY posted a malware sample developed by a security researcher known as “Fumik0” posted to Github days beforehand- essentially an open source tutorial on how to encrypt any PNG picture/file with malware script injected into a 0x0 pixel.

More recently than that, just last night “Qurlla” of New World Hackers randomly told me that he was the victim of a weaponized .PNG sent to him on his Discord channel. If not for his anti-virus flagging the malware, he would had never known he was targeted or that it was there – and I’m certain he wasn’t alone. Point being, outside of last Decembers meme attack, general “chatter” surrounding Steganography Attacks appear to be snowballing and building up an unusually large amount of steam over recent days/weeks – hence why I am writing this threat analysis here today.

Wouldn’t you also know it? The EU election season is now officially set to kick off for the first time 1 month from now to the day. Think this is any coincidence? 🤔 I for one do not seem to think so. However, even if it is, whose to say that weaponized meme attacks wont begin targeting internet users later this year during the buildup to US elections?  Consider yourselves warned, plan accordingly.