Protect Users and Networks from Malware Hidden in Images and Attached Files

Author Avatar


Posted on May 4, 2022

Want to interview Mendy?


Steganographic attacks conceal malware within innocent content, in ways that AV/firewalls cannot detect

Steganography – stego, for short – is the art of hiding messages or code in innocent objects, files, or text. Unlike encryption, steganography does not announce itself. Since there is nothing that flags the image or object as containing additional data – no hex-encoded strings or no bulky lookup tables – antivirus and other technologies pay them no heed. As a result, steganography is increasingly being used to conceal and deliver ransomware attack code, malicious JavaScript, downloaders, and even entire rootkits.

A classic example of a steganography-enabled attack involves malicious data concealed within an image, without changing the appearance of the image or increasing the file size. Sophisticated approaches involve manipulating individual pixels of an image to contain steganographic data. A complete file can likewise be attached to an image using, for instance, an RAR archive format, which is ignored by image display applications but can be easily extracted by a malicious actor or program.

Images are most frequently used for stenography but other kinds of files, including Excel, Word, HTML, and even network protocol files, can be manipulated to conceal stenographic data. In a variation on in-image concealment, white PNG files may be used to conceal explicit code.

Steganography Attack Mechanisms

In some instances, clicking on an image containing steganographic code is sufficient to activate the code or to signal the hacker that an access channel is available to the endpoint. More often, the steganography delivers just part of the payload, which is only extracted and utilized when the image is processed.

For malicious code hidden in attached documents, PowerShell and BASH scripts are used to automatically launch the attacks as soon as the documents are opened.

Protecting Against Steganographic Threats

Traditional scanning technologies such as antivirus are powerless to detect steganography since the code is hidden within – and indistinguishable from – legitimate code. Barring access to all images and attachments can protect organizations but is impractical and degrades the user experience. Steganography attacks can be foiled, however, by scrambling hidden content and disabling embedded malicious scripts, provided that image fidelity and desired native file functionality can be maintained.

Remote Browser Isolation (RBI) accomplishes just that. When a user visits a website, all content including images is opened by a virtual browser located in a hardened, isolated short-lived container in the cloud, as are attachments downloaded from emails or websites. RBI executes all code—malicious and benign–within the container, where it cannot access the end user machine or the information it holds.

Sampling and compression techniques are used to create safe rendering data that accurately represents the site content, including all images and functional elements, and is transmitted to the user’s browser. Users can interact with the site fully via their regular browser (and behind the scenes, a virtual browser located in the isolated container.) Hidden code within images or other site elements that may contain malicious content, however, is not faithfully rendered when RBI is used in secure frame mode, and thus neutralized of any threats it may contain.

In RBI solutions that provide integrated content disarm and reconstruction (CDR) capabilities, attachments are also routed to the hardened, isolated container. There, the files are examined for malware which, if detected, is disarmed. The document or other attachment is then reconstructed using similar techniques to those leveraged by RBI, with similar results: Extraneous code, even if it is well hidden and not identifiable as malicious, is omitted or broken, neutralizing threats from steganographic attacks.

Once the user stops browsing or after a specified period, the isolated container is destroyed along with all website content and attached files within, ensuring that malicious content, including stenography, cannot reach the user device.

ZTEdge: Granular Control, Outstanding User Experience and Strong Steganography Protection

In addition to providing seamless CDR integration, sophisticated RBI solutions such as ZTEdge Web Isolation further strengthen the hardened containers by leveraging low-privilege user accounts, strictly limiting their lifespans, and using read-only file systems. Containers are Linux-based to ensure they’re protected from Windows attacks.

ZTEdge policy-based controls enable admins to vary permissions by user group, individual user, site characteristics or other parameters. For instance, file downloads may be entirely barred for sites with newly registered domain names or from social media sites for some user groups, while permitted for others whose work entails social media use.

For more information about protecting your users and organization against stenography – as well as phishing and ransomware attacks, zero-day exploits, and data loss – download the Steganography Defense datasheet or request a ZTEdge demo.


How Stenography Works

For illustrative purposes, let’s look at one stenographic technique by which malware might be hidden in the code of an image, and why images are ideal for this purpose.

Images leverage non-executable file formats to store compressed data. To display an image, a browser uncompresses the file as it is loaded and creates the image, pixel by pixel, based on the data. Each individual pixel, however, can store more information that is actually needed to create a good representation of the image.

Image: SentinelOne


For instance, for colors that are represented using three bytes – for red, blue and green – the final four bits of each color can be used to indicate fine differences in color. These differences, however, have little or no impact on how users perceive the image. As such, a malicious actor can insert data or code in those bits without degrading the image, in a way that is transparent to an anti-virus solution. And a purpose-built program will be able to read that data and use it as needed.

Share this on:

Author Avatar

About Mendy Newman

Mendy is the Group CTO of Ericom's International Business operations. Based in Israel, Mendy works with Ericom's customers in the region to ensure they are successful in deploying and using its Zero Trust security solutions, including the ZTEdge cloud security platform.

Recent Posts

Air Gapping Your Way to Cyber Safety

Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.

Motion Picture Association Updates Cybersecurity Best Practices

The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.

FTC Issues Cybersecurity Warning for QR Codes

QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.