AI-Powered Cyberattacks: How to Detect, Prevent & Defend Against Intelligent Threats

Read Now
We utilize artificial intelligence for site translations, and while we strive for accuracy, they may not always be 100% precise. Your understanding is appreciated.
Home/ Blog / Data Sanitization against Steganography, Evasion
File Security

Data Sanitization against Steganography, Evasion

by OPSWAT
Share this Post

We have warned about the risk of steganography in the previous blog. Steganography is the method of concealing messages, images, videos or malware within a file or a message. We have now observed steganography in actual attacks*. Just last week, Crowdstrike published their finding on Cutwail Spam Campaign in Japanese-language emails, and steganography was one of the tactics used by the hacker. In this blog, we will demonstrate the effectiveness of OPSWAT Data Sanitization against steganography and evasion tactics using this attack example.

We can split this spam campaign into four stages as follows (we will apply Data Sanitization to stages 1, 2 and 3).

Stage 1: phishing email with a Microsoft Excel attachment

Stage 2: obfuscated VBA scripts inside of a Microsoft Excel document

Stage 3: steganography image containing obfuscated PowerShell script

Stage 4: final payload

stages 1 and 2: phishing email with a Microsoft Excel attachment containing obfuscated VBA scripts inside of a Microsoft Excel document

Email is the most popular way to gain initial access to the victim's network. OPSWAT MetaDefender (https://www.opswat.com/product... ) can detect the file type based on the contents, not just based on the file extension. Let's say security policy allows Microsoft Excel documents since it is a very common file type required for business productivity. Even so, OPSWAT Data Sanitization can reconstruct a new Microsoft Excel file while stripping off the macro.. OPSWAT does not try to detect if VB script is malicious, so obfuscation would not evade this countermeasure. Below please see the Excel document which was used for this spam campaign before and after the sanitization.


Before:

After:

stage 3: Stegosploit - steganography image containing PowerShell script

Let's say, an organization can not prohibit macro usage as part of their security policy. Even in this case, OPSWAT Data Sanitization can sanitize the image in a way it does not contain the script. Therefore attacker would fail to download the final payload.

From a user view, there is no visible difference between the original and the sanitized images.

Before SanitizationAfter Sanitization

* Reference of actual attack using Steganography

https://blog.trendmicro.com/tr...

https://www.imperva.com/blog/d...

https://securityintelligence.c...

co-authored by Vinh Lam

Tags:

Latest Posts

Sign up for the OPSWAT Newsletter

Get the latest OPSWAT company updates along with event information and the news that's driving the industry forward.
Sign Me Up

Follow Us on Social Media

Follow OPSWAT on your LinkedIn, Facebook, Twitter, and YouTube for more!

Stay Up-to-Date With OPSWAT!

Sign up today to receive the latest company updates, stories, event info, and more.
Subscribe