Steganography

Steganography, the technique of embedding hidden messages inside public files, has become very popular with exploit kit operators in 2016.

Several security firms have detected multiple updates to exploit kits which recently started using steganography as the main component of their operations, or are employing steganography as a way to hide exploit and malware payloads as PNG files.

Exploit kits that heavily rely on steganography: Stegano

In the first category, we have the newly-discovered Stegano (also known as Astrum) exploit kit, which has been used in the past months as part of a very ingenious malvertising campaign.

Stegano authors have operated by embedding malicious code inside the RGBA transparency value of each pixel of PNG banner ads.

As users viewed the ads, JavaScript code would parse the PNG image, extract the malicious code and redirect the user to the exploit kit landing page, where he would be infected with various types of malware.

Exploit kits that heavily rely on steganography: DNSChanger

Besides Stegano, the second exploit kit discovered in 2016 that heavily relies on steganography is named DNSChanger.

The group behind DNSChanger created malicious ads that contained code that launched brute-force attacks against the user's home WiFi router. Attackers were taking control over the victim's router, and injecting ads in all his web traffic.

Once again, steganography was crucial to hide this malicious code inside the ads' images, which helped crooks hide the exploit kit's activity from security researchers.

Steganography spreads to big-time players

Both Stegano and DNSChanger are relatively small and unknown exploit kits, deployed and used only by one operator, which was their creator.

According to a new report from Trend Micro, in the last days of 2016, one of the major players operating in the exploit kit market has also turned its sights on steganography.

The exploit kit's name is Sundown, an exploit kit developed a group of German-speaking developers who call themselves YBN (Yugoslav Bussiness Network).

Logo of YBN, developers of Sundown EK
Logo of YBN, developers of Sundown EK

For the majority of the year, Sundown was a small time player, with a market share much lower than Angler, Nuclear, Neutrino, RIG, and even the Magnitude EK.

But as Nuclear operators shut down in April, as the Angler EK was taken down by Russian police, and as the Neutrino exploit kit went private to cater only to a limited private clientele, Sundown found itself as one of the Top 3 remaining exploit kits on the market.

For most of its existence, the exploit kit has been known as the king of copy-paste, with the vast majority of its exploitation routines being stolen from Angler, Nuclear, or RIG.

As it found itself alone at the top of the market, things started to change this autumn, as Sundown operators realized they had to diversify their arsenal if they wanted to keep their position for longer.

Sundown now hides exploits as PNG files

According to Trend Micro, one of the changes the Sundown operators added was the usage of steganography to hide the "exploit packages," which are the files that contain the exploit code delivered to users.

Until recently, Sundown operators never bothered to mask these files. Security researchers looking at traffic logs could easily identify the Sundown exploit package by looking at URLs, which often contained files ending in .SWF or .XAP extensions, specific to Flash and Silverlight exploits.

After this recent update, Sundown now hides these exploits as mundane PNG files. The file's header says the file is a PNG image, but its content contains the actual exploit. Sundown traffic is now much harder to detect, and researchers have to put more work in unmasking Sundown operations, just as its operators wanted.

Sundown took inspiration from previous steganography campaigns

This addition of steganography in Sundown operations was spotted two days ago and appears to have been inspired by previous three malvertising campaigns.

The first is the massive AdGholas malvertising campaign, which ran on the Angler and Neutrino exploit kits, the second is the GooNky malvertising campaign, and the third is a malvertising campaign that delivered the CryLocker ransomware via the RIG exploit kit.

In all cases, the crooks behind these malvertising campaigns had used steganography to deliver PNG images to victims, which contained malicious code that scanned their computer, and later delivered downloaded malware.

The most successful of these campaigns was the AdGholas campaign, which raged on undetected for almost a year. The success of those campaigns has apparently convinced the Sundown gang to run a few experiments of their own.

By disguising malicious content as PNG files, Sundown, is now following the new trend that has slowly taken hold of the exploit kit market in the past year. All chances are that it will continue to use steganography, at least until security firms find a way to quickly identify malicious PNG files and block them.

In the meantime, stay safe from malvertising campaigns by employing an antivirus and ad blocker in your browser. PS: Don't forget to whitelist the sites you like. Ads help keep websites alive.