Freely subscribe to our NEWSLETTER

Deep Secure Research Labs has published a simulation of a real world cyber-attack scenario using a combination of social media tools and image steganography, to avoid detection by conventional cybersecurity defences.
Deep Secure’s research team demonstrated how an attacker could infiltrate a network, establish a Command and Control (CnC) channel and steal data, totally bypassing any Data Loss Prevention (DLP) system.

The kill chain used in the demonstration is published below.

Phase 1 – Initial Infection
In the initial infection phase, the attacker crafts a polyformatted file, one with the ability to be interpreted by different applications using different file formats. The file is sent to the victim as an email attachment. The file looks like an innocent Word Document, but it also contains fileless malware that bypasses signature-based anti-malware defences.
Using social engineering, the user is tricked into running the fileless malware.

This unpacks a backdoor which is disguised to be part of the Word Document and is invisible to the user.

The backdoor listens for a specified hashtag on Twitter for commands from the remote attacker.

Phase 2 – Reconnaissance
A seemingly harmless tweet includes an image in which a command to run a directory listing is concealed using steganography. The backdoor is listening on the hashtag, extracts the command from the image and runs it without the user being aware.
_The result of the directory listing is embedded in an image using steganography and uploaded to a file sharing site where the attacker downloads it and extracts the results of the directory listing. This process is repeated until the attacker finds the high value data they want to steal.

Phase 3 – Exfiltration
Another seemingly harmless tweet includes an image in which a command to leak a file is concealed using steganography. The back door is listening on the hashtag and extracts the command from the image.
The document containing the high value data is split into small chunks by the backdoor and each chunk is encoded into an image using steganography. The images are uploaded to a file sharing site, completely evading detection via DLP systems.

All the images are downloaded by the remote attacker and the chunks of data extracted from each image.

The content is then reassembled to reveal the high value data.

“This demonstration should act as a wake-up call for anyone who believes they can protect their information assets using conventional detection-based cyber security defences,” said Oceanne Gallagher, Lead Researcher with Deep Secure. “The use of polyformatted files, fileless malware and image steganography combined with social media tools means the attack can completely evade detection.”
Aaron Mulgrew, Security Architect at Deep Secure says, “We estimate that an attacker could easily exfiltrate a third of a million credit card records by concealing them in 50 images using steganography. The attack will remain totally undetected by conventional anti-malware and DLP systems.”

What can be done?

Users of Deep Secure Content Threat Removal (CTR) are protected at every stage of this cyber kill chain.
CTR uses content transformation rather than detection to render digital content threat free. CTR transforms all content crossing the security boundary, extracting only the business information from documents and images and discarding everything else. Brand new documents and images are then created and delivered to the user.
As a consequence, threats such as in polyformatted files fileless malware and exploits concealed in images using steganography are all neutralized whether they are delivered via email, Web or File Transfer.