Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.
Duqu was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.[1]
By the end of 2017, a threat group used Invoke-PSImage to hide PowerShell commands in an image file (.png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.[2]
| ID | Name | Description |
|---|---|---|
| S0469 | ABK |
ABK can extract a malicious Portable Executable (PE) from a photo.[3] |
| G0138 | Andariel |
Andariel has hidden malicious executables within PNG files.[4][5] |
| G0067 | APT37 |
APT37 uses steganography to send images to users that are embedded with shellcode.[6][7] |
| S0473 | Avenger |
Avenger can extract backdoor malware from downloaded images.[3] |
| S0234 | Bandook |
Bandook has used .PNG images within a zip file to build the executable. [8] |
| S0470 | BBK |
BBK can extract a malicious Portable Executable (PE) from a photo.[3] |
| G0060 | BRONZE BUTLER |
BRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads.[3] |
| S0471 | build_downer |
build_downer can extract malware from a downloaded JPEG.[3] |
| S0659 | Diavol |
Diavol has obfuscated its main code routines within bitmap images as part of its anti-analysis techniques.[9] |
| G1006 | Earth Lusca |
Earth Lusca has used steganography to hide shellcode in a BMP image file.[10] |
| S0483 | IcedID |
IcedID has embedded binaries within RC4 encrypted .png files.[11] |
| S0231 | Invoke-PSImage |
Invoke-PSImage can be used to embed a PowerShell script within the pixels of a PNG file.[12] |
| G0065 | Leviathan |
Leviathan has used steganography to hide stolen data inside other files stored on Github.[13] |
| S0513 | LiteDuke |
LiteDuke has used image files to hide its loader component.[14] |
| G0069 | MuddyWater |
MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.[15] |
| S0644 | ObliqueRAT |
ObliqueRAT can hide its payload in BMP images hosted on compromised websites.[16] |
| S0439 | Okrum |
Okrum's payload is encrypted and embedded within its loader, or within a legitimate PNG file.[17] |
| C0023 | Operation Ghost |
During Operation Ghost, APT29 used steganography to hide payloads inside valid images.[14] |
| C0005 | Operation Spalax |
For Operation Spalax, the threat actors used packers that read pixel data from images contained in PE files' resource sections and build the next layer of execution from the data.[18] |
| S1145 | Pikabot |
Pikabot loads a set of PNG images stored in the malware's resources section (RCDATA), each with an encrypted section containing portions of the core Pikabot core module. These sections are loaded and decrypted using a bitwise XOR operation with a hardcoded 32 bit key.[19] |
| S0518 | PolyglotDuke |
PolyglotDuke can use steganography to hide C2 information in images.[14] |
| S0139 | PowerDuke |
PowerDuke uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA).[20] |
| S0654 | ProLock |
ProLock can use .jpg and .bmp files to store its payload.[21] |
| S0565 | Raindrop |
Raindrop used steganography to locate the start of its encoded payload within legitimate 7-Zip code.[22] |
| S0458 | Ramsay |
Ramsay has PE data embedded within JPEG files contained within Word documents.[23] |
| S0495 | RDAT |
RDAT can also embed data within a BMP image prior to exfiltration.[24] |
| S0511 | RegDuke |
RegDuke can hide data in images, including use of the Least Significant Bit (LSB).[14] |
| G0127 | TA551 |
TA551 has hidden encoded data for malware DLLs in a PNG.[25] |
| G0081 | Tropic Trooper |
Tropic Trooper has used JPG files with encrypted payloads to mask their backdoor routines and evade detection.[26] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0119 | Detection Strategy for Steganographic Abuse in File & Script Execution | AN0331 |
Detects execution of image viewers or PowerShell scripts accessing or decoding files with mismatched MIME headers or embedded script-like byte patterns; often correlated with suspicious parent-child process lineage and outbound connections. |
| AN0332 |
Detects access to media files followed by execution of scripts (bash, Python, etc.) referencing those same files, or outbound traffic triggered shortly after file read. Correlates unusual use of tools like |
||
| AN0333 |
Detects manipulation of PNG, JPG, or GIF files by user-initiated scripts followed by script execution or exfiltration behavior, especially from |