Using Steganography: Launching an Attack Without Traditional File-based Malware

Using Steganography: Launching an Attack Without Traditional File-based Malware

steganography FIMost current malware attacks use techniques that were created in only the last few years. However, Steganography — “the practice of concealing a file, message, image, or video within another file, message, image, or video”  — has been in existence for thousands of years. Originally created to conceal messages, its current uses include evading censorship as well as delivering malicious payloads. Most recently, it was used as part of an evasive attack on organizations associated with the Pyeongchang Winter Olympics.  

Hiding Malware in Plain Sight

Last December, McAfee Advanced Threat Research (ATR) analysts discovered a campaign targeting organizations involved with the Pyeongchang Olympics using a steganographic technique. The malware installed an implant that established a secure channel to the attacker’s server.

The attack targeted over 300 organizations in South Korea affiliated with the Olympic organization. The attacker spoofed the sender to appear to be originating from, the National Counter-Terrorism Center (NCTC) in South Korea. The timing of the email coincided with anti-terror drills that were occurring as part of the preparation for the Olympics, which likely made the recipients believe it was legitimate.

Cyberattacks employ steganography to embed malicious code within other seemingly benign content to bypass security controls. In the case with the PyeongChang Winter Olympics attack, the malware author used steganography as well as other techniques to enable the attack, evade detection, and persist. The malware used:

  • Social Engineering: When the user opened the document, text in Korean instructed the victim to enable content in the document
  • Network Security Monitoring Evasion: Once the user enabled the content, the document ran a PowerShell script that downloaded a seemingly benign image stored on a remote server
  • Manual Analysis Evasion: It used obfuscated Visual Basic macros to decode the malicious content hidden within the pixels of the image and install the malware
  • Persistence: The malware included registering scheduled tasks, so the scripts survive a system reboot
Steganography PyeongChang Winter Olympics attack

The image that was stored on a remote server and contained the hidden code

The McAfee team identified additional implants in addition to the original Korean-language implant (now dubbed Operation Gold Dragon). McAfee reports that these additional implants (Brave Prince, Ghost419, and Running Rat) appear to a part of a larger operation and longer-term campaign to gain persistence for data exfiltration and access to targeted networks.

PowerShell as an Attack Platform

PowerShell is a configuration management and task automation tool, installed on all new Windows versions by default. Introduced as a scripting language and command line shell by Microsoft in 2005, PowerShell is now open source and cross-platform. It is useful for building many types of applications, enabling developers to use multiple languages, libraries, and editors to build for mobile, gaming, desktop, and even IoT solutions.

As a result of the pervasive use of PowerShell, it is popular with hackers due to its ease-of-use and versatility, providing access to all the major operating system functions. Plus, many system administrators use and trust the framework, allowing PowerShell malware to blend in with benign activity on the network.

Why Fileless Attacks Are So Difficult to Detect

Fileless attacks like this are extremely difficult for most technologies to detect for the following reasons:

  • They use an essential utility like PowerShell for malicious activity. As described above, organizations can’t block PowerShell traffic because of its range of legitimate uses. Security controls that analyze network traffic (such as NGFWs at the gateway or IPS on internal segments) can’t distinguish legitimate PowerShell traffic from malicious traffic.
  • They render signature-based detection technologies useless. When signature-based detection technologies compare the hash of an email attachment like the one used in this attack with known malicious files, there would have been no match.

It is for these reasons that the threat of fileless attacks is growing: 32% of respondents in a SANS threat landscape survey in August 2017 reported experiencing fileless or “malware-less” attacks. McAfee reported that fileless malware attacks based on Microsoft PowerShell are increasing, growing 119% in the third quarter of last year.

Securing Your Networks Against Malicious Behaviors, Old or New

Fortunately, Lastline customers were able to detect this attack in early January. The screenshot below shows the results of the automated Deep Content Inspection conducted on the first sample of the email attachment encountered by a member of the Lastline community.

Details of the all the malicious behaviors contained in the document

Lastline’s automated analysis includes an overall Maliciousness Score, as well as details of every malicious behavior engineered into the malware, including behaviors designed to evade automated or manual analysis.

And, upon completion of the analysis by one customer or partner, all Lastline users, through our Global Threat Intelligence Network, are immediately aware of any malicious object used to attack another member of our community. This “network effect” significantly increases every customer’s detection accuracy, while reducing the need for them to conduct additional threat research before responding.


To learn more about protecting your organization’s email, please read our Solution Guide: “Protecting Email from Advanced Malware”

To read more about fileless attacks, visit our blogs on the topics:

Why Fileless Malware Will Continue Its Rapid Expansion
Detecting Fileless Web Threats Just Got Easier