Steganography - The Old Attack Mechanism that will Never Die

Steganography goes all the way back to 440BC where ancient roman regional administrators perfected the art of sending messages to each other without their carriers ever being able to read the message. In today’s cyber landscape steganography is the practice of smuggling potentially malicious data into seemingly innocuous data. This practice is different from encryption, where encrypted data is easily discernible to unencrypted data. 

Steganography made the news again over the past few weeks as APT37, commonly associated with North Korean hacking groups, used steganography to embed shellcode directly into MSPaint.exe to launch a fileless attack [1]. Fileless attacks (where “the attack” never hits a filestore) are extremely hard to detect, as no artifacts are ever left on the endpoint. This makes it especially tricky for solutions like EDR (Endpoint Detection & Response) to respond, as they rely on scanning endpoints for indicators of compromise [2].

Steganography is never used as the initial exploit, as true steganography relies on a valid format to begin with. However similar concepts, such as polyglot files, can be used as the initial exploit on file upload,  often seen with vulnerable web apps [3].

In the RoKRAT example, APT37 embedded the RoKRAT malware directly within the JPEG images and used common web applications (which are typically allow-listed) like Dropbox as the C2 channel. As a result, network detection solutions would have seen “normal” HTTP traffic communicating to common file sharing web applications such as Dropbox.

Everfox’s CDR & CDS technology does not rely on detection-based mechanisms to detect threats. Everfox’s Garrison Isolation Appliance (GIA) should be considered to always keep web-based threats at bay through secure hardware-enforced (FPGA) video isolation technology [4]. In this example, an endpoint would not have been able to connect directly to Dropbox as all web access would have been safely directed to a video isolation node, eliminating the possibility for a successful C2 channel.

In addition to the GIA, Everfox CDR should be considered when implementing email systems (such as those received by the systems processing the RoKRAT malware) and on Web App portal upload, such as for the Polyglot exploit example. Everfox CDR provides an advanced alternative to traditional content disarm and reconstruction. It generates a description of the source file, then builds a completely new file, using only known good components – so no part of the original file reaches the endpoint destination. Like the GIA, it doesn’t rely on detection and includes an optional hardware-enforced approach (using FPGAs) to provide higher assurance threat prevention.

Contact Everfox for more information.

[1] RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies
https://www.genians.co.kr/en/blog/threat_intelligence/rokrat_shellcode_steganographic (opens a new window)

[2] https://www.paloaltonetworks.co.uk/cyberpedia/why-endpoints-shouldnt-rely-entirely-on-scanning (opens a new window)

[3] https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-polyglot-web-shell-upload (opens a new window)

[4] https://www.everfox.com/products/cross-domain-solutions/isolation-appliance (opens a new window)