Categories: Malware

Stegomalware Surge – Attackers Using File, Video, Image & Others To Hide Malware

A surge in the number of Stegomalware instances using Steganography has been reported recently by the cybersecurity experts at Cyble Research Labs. 

Steganography is mainly a method that entails concealing data inside of a normal message or file in a specific manner. The type of file it uses:-

  • Text
  • Image
  • Video

There is no doubt that Steganography is one of the most evasive and difficult-to-detect methods of malware. Stegomalware uses image steganography to avoid detection mechanisms such as anti-virus software and anti-malware systems. 

As a result of the use of Image Steganography, more than 1,800 malware samples have been identified in the wild over the last 90 days. Below is a summary of the distribution of stegomalware on a Monthly basis.

Malware using Steganography

It is worth mentioning that there are several prominent malware families that use Steganography, including:-

  • Knotweed
  • Web Shells
  • Hacking Tools: Mimikatz, Rubeus
  • NanoCore RAT
  • AgentTesla
  • XLoader

It has been discovered that numerous instances of .JPG+EXE malware have been seen during the monitoring of chatter across multiple threat actors.

A malicious exe file is usually disguised as a legitimate image file and it is then injected into an image file using the Image Steganography technique.

Researchers reported two attacks in the last few weeks of July 2022, which were carried out by unknown individuals. Steganography was used in these attacks to deliver malware payloads in order to carry out the attack.

Technical Analysis

Various reports have been made about the effect that APT TAs have used.SFX files to use as a way to attack ICS/SCADA systems using exploit DB files. 

Other systems can also be attacked with this attack vector. An executable file with the extension .SFX contains compressed data that can be uncompressed during the process of implementation. 

It is also possible to execute the compressed files that are enclosed in a .SFX file, which allows TAs to easily execute malware through this technique.

Here the AgentTesla malware is extracted from the .JPG file in the archive after the .SFX archive has been extracted.

As a result of the extraction of malware, additional evasion capabilities may be leveraged directly by combining it with legitimate processes.

Recommendations

The following are some of the best practices in cybersecurity that are recommended by the experts:-

  • Make sure that you are aware of the latest threat actor attack techniques that are being employed by them.
  • Be sure that your connected devices, including PCs, laptops, and mobile phones, are protected by an robust anti-virus tools.
  • To prevent data exfiltration by malware or Trojans, monitor the beacon on the network level.
  • Check the contents of the file at the end, as well as unusual file signatures and properties, when inspecting suspicious images manually
  • Before downloading any file, it is recommended that you verify the source.
  • Passwords should be updated at regular intervals.
  • Make sure you verify the authenticity of all links and email attachments before opening them.
  • Virus-spreading URLs, such as torrents and warez, should be blocked.
  • Ensure that employees’ systems are equipped with Data Loss Prevention (DLP) solutions.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Cyberattackers Targeting IT Help Desks for Initial Breach

Cybercriminals are increasingly impersonating IT support personnel and trusted authorities to manipulate victims into granting…

1 hour ago

New Stealthy .NET Malware Hiding Malicious Payloads Within Bitmap Resources

Cybersecurity researchers at Palo Alto Networks' Unit 42 have uncovered a novel obfuscation method employed…

1 hour ago

Hackers Weaponizing Facebook Ads to Deploy Multi-Stage Malware Attacks

A persistent and highly sophisticated malvertising campaign on Facebook has been uncovered by Bitdefender Labs,…

1 hour ago

Threat Actors Target Job Seekers with Three New Unique Adversaries

Netcraft has uncovered a sharp rise in recruitment scams in 2024, driven by three distinct…

2 hours ago

Scattered Spider Malware Targets Klaviyo, HubSpot, and Pure Storage Platforms

Silent Push researchers have identified that the notorious hacker collective Scattered Spider, also known as…

3 hours ago

Chinese Hackers Exploit SAP RCE Vulnerability to Deploy Supershell Backdoors

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-31324, in SAP NetWeaver Visual Composer…

4 hours ago