Researchers have discovered a non-obvious tactic in which attackers use steganography. While classic tactics rely on obfuscation and encryption, this method uses plain images as a malware carrier. In this post, I’ll go into more detail on how it works.
Steganography Attack Overview
Steganography, the practice of hiding data within another file, is increasingly used in cyberattacks to disguise malicious code. Unlike encryption, which scrambles data to make it unreadable, steganography embeds payloads in harmless-looking files like images, videos, or audio, making them nearly invisible to traditional security tools.
This method is favored by cybercriminals for its ability to evade antivirus software, bypass email filters, and deliver payloads stealthily, often used in phishing, malware delivery, and data exfiltration. Although such attacks are currently a likely proof of concept, and require interaction with the victim, it is quite a concept. I can suggest, that these could be spear phishing attacks, mainly by state sponsored cybercrime actors.
The advantages include the ability to evade security tools by hiding malicious code inside images, allowing it to bypass antivirus and firewalls. Since there are no obvious executable files, it eliminates the risk of detection through traditional means. Its low detection rate is due to the fact that standard scans rarely inspect images for embedded malware. The payload remains hidden until extracted and executed, making delivery highly stealthy. Malicious images also bypass email filters, as they do not trigger standard phishing detections. This method is highly versatile, making it effective across multiple attack vectors.
How Doe It Work?
The researchers used the ANY.RUN sandbox as a testbed, which produced comprehensive results that will be described below.
In brief, the steganography method involves embedding the DLL payload in a JPEG image file, using a text chunk to store Base64-encoded data. The extraction process identifies a <<ВASE64_START>> flag in the hex data, followed by the encoded payload, which includes the MZ signature of an executable. In the current case, the payload is XWorm.
Now, let’s go into more detail. XWorm employs a multi-stage attack that begins with a phishing PDF named “package_photo.pdf”. This PDF contains a link hxxps://www[.]sendspace[.]com/pro/dl/vjzvj7, that tricks users into downloading requests permission to download a graphic extension to display this document. In fact, this is a .REG file named pdf_graphics.reg, which modifies the Windows registry to run a script at startup.
After reboot, the registry script triggers PowerShell, a powerful Windows scripting environment, to download a VBS (Visual Basic Script) file from a remote server. This process is visible in sandbox environments, where clicking on powershell.exe reveals the file being downloaded. The VBS file, appearing harmless, sets the stage for the next step.
An Unobvious Move
Instead of downloading an executable, the VBS script retrieves an image file. This JPEG image contains a hidden malicious DLL payload. The steganography method involves embedding the payload within the image, specifically in a text chunk, using Base64 encoding. Static analysis shows the image appears legitimate, but hex inspection reveals a <<ВASE64_START>> flag, followed by “TVq,” the Base64-encoded MZ signature of an executable file. This confirms the payload’s presence, allowing it to bypass security detection until extracted.
The final step involves executing the extracted DLL, which injects XWorm into the AddInProcess32 system process, a legitimate Windows process related to Microsoft Office. This injection helps the malware blend in, avoiding detection. Once XWorm is deployed, it provides attackers with remote access, allowing them to steal sensitive data, execute commands, and deploy additional malware. The compromised system can also be used as a launching point for further attacks.
Technical Details of Steganography Implementation
The steganography technique uses the structure of image files to conceal data. The JPEG image file, utilizes text chunks (e.g., tEXt chunks) to store arbitrary text data, including the Base64-encoded payload.
The extraction process begins by locating the <<ВASE64_START>> flag within the image file’s hex data, which marks the beginning of the encoded payload. The following Base64 data is then decoded, starting with “TVq,” which corresponds to the MZ signature (“MZ” in ASCII, with M=77 and Z=90). During decoding, Base64 characters are converted into their numerical values (T=19, V=21, q=42 in the Base64 alphabet), and bit operations reconstruct the binary data.
For example, “TVq=” may initially decode to “MJ” in some calculations, indicating partial data, but the complete payload contains the full executable signature, confirming its nature. Base64 encoding allows the payload to exist as text within the image’s metadata without affecting its visual appearance. This technique takes advantage of the fact that traditional security scans rarely inspect image metadata for malware.
How To Stay Safe?
While such attacks can take the user and anti-malware software by surprise, with news like this, anti-malware vendors will take this into consideration. So, keeping your software updated and using strong, unique passwords can reduce the risk of malware sneaking into your system through vulnerabilities or stolen credentials.
Being cautious online isn’t always enough, as advanced malware can bypass basic defenses and hide in seemingly harmless files. You should also enable two-factor authentication for all available services. For comprehensive safety, I recommend GridinSoft Anti-Malware, which offers robust scanning and real-time protection to identify and eliminate threats like XWorm before they cause harm.
