Steganography Secrets: Malware Hidden in Plain Sight

What Happened

Cybercriminals are hiding malicious software inside normal-looking pictures to bypass security defenses. Organizations and individuals receiving fake finance-themed emails are the primary targets. This matters because the hidden code installs harmful programs like remote access tools and password stealers directly into the computer's memory, making them difficult for standard security tools to catch. Organizations should train employees to spot suspicious email attachments and monitor for unusual computer behavior.

Key Takeaways

• Threat actors are increasingly using image steganography to hide malicious payloads and evade EDR detection.
• The attack chain typically involves a JavaScript dropper that downloads an image, extracts a DotNET Loader, and injects a RAT into memory.
• Top malware families delivered via this method include Remcos RAT (27%), Agent Tesla (21%), and XWorm RAT (18%).
• Legitimate image hosting services like archive.org and uploaddeimagens.com.br are heavily abused to host the malicious images.

Affected Systems

• Windows endpoints

Vulnerabilities (CVEs)

• CVE-2017-11882

Attack Chain

The attack begins with a finance-themed phishing email containing a malicious ZIP attachment or a link to download a file. Once the victim executes the contained JavaScript dropper, it downloads a seemingly benign image from a legitimate hosting service. The JS dropper extracts a Base64-encoded DotNET loader hidden within the image using steganography. Finally, the DotNET loader executes and injects the final malware payload, such as Remcos RAT, directly into the memory of a legitimate process like Windows Explorer.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules, but highlights the need for behavioral analysis to detect memory injection and unusual script execution.

Detection Engineering Assessment

EDR Visibility: Medium — EDR may miss the initial steganographic image download as it appears benign, but should have visibility into the JS dropper execution, process injection into Windows Explorer, and subsequent RAT behaviors. Network Visibility: Low — Network traffic involves downloading images from legitimate hosting sites (archive.org, github.com), making it difficult to distinguish from benign web browsing. Detection Difficulty: Hard — The use of legitimate image hosting platforms, steganography, and in-memory execution of the final payload significantly reduces file-based artifacts and network IOCs.

Required Log Sources

• Process Creation (Event ID 4688)
• Sysmon Event ID 1 (Process Creation)
• Sysmon Event ID 8 (CreateRemoteThread)
• Sysmon Event ID 10 (ProcessAccess)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for script interpreters (wscript.exe, cscript.exe) initiating network connections to image hosting domains, which may indicate a JS dropper downloading a steganographic payload.	Process and Network events	Execution / Command and Control	Medium
If you have visibility into process behavior, look for unusual process injection or memory allocation into legitimate Windows processes like explorer.exe originating from script interpreters or unknown .NET assemblies.	EDR Process/Memory events	Defense Evasion / Privilege Escalation	Low
Evaluate whether large Base64 strings or specific markers like 'BaseStart-' can be detected within image files downloaded by script processes.	File/Network inspection	Defense Evasion	Low

Control Gaps

• Secure Email Gateways (SEGs) relying solely on static analysis
• Network Intrusion Detection Systems (NIDS) inspecting traffic to legitimate cloud services

Key Behavioral Indicators

• wscript.exe or cscript.exe making external network connections
• Unusual child processes or memory injection targeting explorer.exe
• Image files containing large blocks of Base64 encoded data or MZ headers

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider blocking the execution of JavaScript (.js) and VBScript (.vbs) files by default on user endpoints using Windows Script Host restrictions.
• If your EDR supports it, evaluate enabling strict behavioral blocking for process injection techniques targeting core Windows processes.

Infrastructure Hardening

• Evaluate whether access to unapproved image hosting or file-sharing sites can be restricted at the web proxy level, balancing business needs.
• Consider implementing application control to restrict the execution of unapproved .NET assemblies and script files.

User Protection

• If supported by your email security solution, consider quarantining emails containing archive attachments (like .zip) from unknown external senders.
• Ensure endpoints are configured to display file extensions to help users identify malicious scripts masquerading as documents.

Security Awareness

• Consider updating phishing awareness training to highlight the risks of opening unexpected archive files or links, even if they appear to be standard business documents like purchase orders.

MITRE ATT&CK Mapping

• T1566.001 - Phishing: Spearphishing Attachment
• T1027.003 - Obfuscated Files or Information: Steganography
• T1059.007 - Command and Scripting Interpreter: JavaScript
• T1055 - Process Injection
• T1140 - Deobfuscate/Decode Files or Information
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Additional IOCs

• Other:
  • BaseStart- - Marker string used within the steganographic image to denote the beginning of the Base64-encoded DotNET loader payload.