A security researcher has demonstrated how he could hide the Complete Works of Shakespeare into an image and use Twitter to distribute it using Steganography.
Steganography is the act of hiding information or messages inside objects that are not themselves secret. This allows people to covertly distribute messages, files, and other types of data in files or data that appear to be non-secretive in nature.
In a recent experiment, security researcher Dаvіd Вucһаnаn created a JPEG image of Shakespeare that also included a RARed copy of his complete works in HTML format. Buchanan went on to further show that this image could also be uploaded to Twitter, which would create a thumbnail that continued to contain the embedded RAR file.
Assuming this all works out, the image in this tweet is also a valid ZIP archive, containing a multipart RAR archive, containing the complete works of Shakespeare.— Dаvіd Вucһаnаn (@David3141593) October 29, 2018
This technique also survives twitter's thumbnailer :P pic.twitter.com/P0Owq9abRC
Вucһаnаn was able to do this by creating a script that converted the multi-part RAR file into an ICC profile, which was then embedded into a picture of Shakespeare. ICC profiles are data fields in an image that detail the characteristics and color of an input device, so that the colors are displayed properly when outputted.
As ICC profiles are stored in JPEGs in 64KB chunks, Вucһаnаn decided to use a RAR file as he could split the RAR archive into multiple files that were set to a particular size. In this case, each part of the multi-part RAR file would be set to 64kb.
"ICC profiles are stored in chunks of approximately 64kb," Вucһаnаn told BleepingComputer via Twitter direct message. "So I had to split the data into correspondingly sized chunks and a multi-part RAR archive seemed like a good way to do that"
When asked if he tested this method to distribute malware, he felt it would be more useful as a way of sending secret messages.
"I'm not sure it's useful as an AV evasion technique in itself. However, it would make a good covert distribution channel."
To extract the Complete Works of Shakespeare the created thumbnail, you simply need to download the image, rename it to a zip file, extract the zip file, and then extract the extracted RAR files.
To do this, you can use the following command in Linux:
curl 'https://pbs.twimg.com/media/DqteCf6WsAAhqwV.jpg' > lol.zip && unzip lol.zip
This command would download the thumbnail as lol.zip and then unzip the lol.zip file. This would leave you with a multi-part RAR file, where each part had a maximum size of 64kb.
To extract the RAR files you would use the unrar x shakespeare.part001.rar command, which would extract a shakespeare.html file as shown below
Unfortunately, when I tried to perform this extraction using 7Zip in Windows, it gave me errors when renaming the JPEG to a zip file and trying to extract it.
For this to work properly, you may need to be using the same versions of Zip and RAR as the creator of the image.