Protect users and networks from malware hidden in images and attachments

Protect users and networks from malware hidden in images and attachments

Steganographic attacks hide malware within innocent content in ways that antivirus/firewalls cannot detect.

Steganography (stego for short) is the art of hiding messages or codes in innocent objects, files or text. Unlike encryption, steganography does not advertise itself. Since there is nothing to indicate that the image or object contains additional data, no hexadecimal-encoded strings, no voluminous lookup tables, antivirus and other technologies pay no attention to them. As a result, steganography is increasingly used to hide and deliver ransomware attack code, malicious JavaScript, downloaders, and even full-fledged rootkits.

A classic example of a steganography-enabled attack involves malicious data hidden within an image, without changing the appearance of the image or increasing the file size. Sophisticated approaches involve the manipulation of individual pixels in an image to contain steganographic data. An entire archive can also be attached to an image using, for example, a RAR archive format, which is ignored by image viewing applications, but can easily be extracted by an actor or malicious program.

Cyber ​​Security Live - Boston

Images are most often used for shorthand, but other types of files, including Excel, Word, HTML, and even network protocol files, can be manipulated to hide shorthand data. In a variation of image hiding, white PNG files can be used to hide explicit code.

Steganography attack mechanisms

In some cases, simply clicking on an image containing a steganographic code activates the code or indicates to the hacker that an access channel is available for the terminal. More often than not, steganography delivers only a portion of the payload, which is only extracted and used when the image is processed.

For malicious code hidden in attached documents, PowerShell and BASH scripts are used to automatically launch attacks as soon as the documents are opened.

Protection against steganographic threats

Traditional scanning technologies such as antiviruses cannot detect steganography as the code is hidden and cannot be distinguished from legitimate code. Restricting access to all images and attachments can protect organizations, but it is impractical and degrades the user experience. However, steganography attacks can be thwarted by encrypting hidden content and disabling embedded malicious scripts, as long as image fidelity and desired native file functionality can be maintained.

Remote Browser Isolation (RBI) accomplishes just that. When a user visits a website, all content, including images, is opened by a virtual browser located in a short-lived protected and isolated container in the cloud, just like attachments downloaded from emails or websites. RBI executes all code, malicious and benign, inside the container, where it cannot access the end user’s machine or the information it contains.

Sampling and compression techniques are used to create secure rendering data that accurately represents the content of the site, including all images and functional elements, and is transmitted to the user’s browser. Users can fully interact with the site through their normal browser (and behind the scenes, a virtual browser located in the isolated container). However, hidden code within images or other site elements that may contain malicious content is not faithfully rendered, and thus neutralized of any threat it may contain.

In RBI solutions that provide built-in Content Disarm and Reconstruction (CDR) capabilities, attachments are also routed to the isolated and hardened container. There, the files are examined for malware which, if detected, is disarmed. The document or other attachment is then reconstructed using techniques similar to those exploited by RBI, with similar results: foreign code, even if well hidden and not identifiable as malicious, is skipped or broken, neutralizing threats from steganographic attacks.

Once the user stops browsing or after a specified period, the isolated container is destroyed along with all website content and attachments, ensuring that malicious content, including stenography, cannot reach the device of the user.

ZTEdge: Granular Control, Great User Experience, and Strong Steganography Protection

In addition to providing seamless CDR integration, sophisticated RBI solutions like ZTEdge Web Isolation further strengthen hardened containers by leveraging low-privilege user accounts, strictly limiting their lifetime, and using read-only file systems. The containers are based on Linux to ensure they are protected against Windows attacks.

ZTEdge’s policy-based controls allow administrators to vary permissions by user group, individual user, site features, or other parameters. For example, file downloads may be completely prohibited for sites with newly registered domain names or from social networking sites for some user groups, while for others whose work involves the use of social networks.

To learn more about protecting your users and organization from stenography, as well as phishing and ransomware attacks, zero-day vulnerabilities, and data loss, request a ZTEdge demo.

How stenography works

For illustrative purposes, let’s look at a stenographic technique by which malware can hide in the code of an image and why images are ideal for this purpose.

Images take advantage of non-executable file formats to store compressed data. To display an image, a browser unzips the file as it loads and builds the image, pixel by pixel, based on the data. However, each individual pixel may store more information than is actually needed to create a good representation of the image.

Image: SentinelOne

For example, for colors that are represented by three bytes (for red, blue, and green), the last four bits of each color can be used to indicate small color differences. These differences, however, have little or no impact on how users perceive the image. As such, a malicious actor can insert data or code into those bits without degrading the image, in a way that is transparent to an antivirus solution. And a specially designed program will be able to read that data and use it as needed.

The charge Protect users and networks from malware hidden in images and attachments first appeared in Ericom’s Blog.

*** This is a syndicated Security Bloggers Network blog from Ericom’s Blog written by MENDY NEWMAN. Read the original post at:

Leave a Comment