Researcher Managed to Hide ZIP, MP3 Files Inside Twitter Images
David Buchanan used steganography to stash MP3 files and ZIP archives within PNG images hosted on Twitter.
This Tuesday, we reported that hackers are now using steganography to hide credit card data inside JPG files. The process involves hiding malicious code inside an image or a music file’s source code. Among hacking groups, the technique is not very common because it’s incredibly difficult to introduce text inside an image’s source code without corrupting the actual image file.
However, it was recently revealed that threat actor ObliqueRAT infiltrates into victims’ endpoints through steganography, and, what’s more, these images can also be hosted on Twitter.
Researcher David Buchanan has recently revealed a method of hiding up to 3 MB of data within a Twitter image. He attached example images to his tweets which contained entire ZIP archives and MP3 files hidden within:
I found a way to stuff up to ~3MB of data inside a PNG file on twitter. This is even better than my previous JPEG ICC technique, since the inserted data is contiguous.
The source code is available in the ZIP/PNG file attached: pic.twitter.com/zEOl2zJYRC
— Dаvіd Вucһаnаn (@David3141593) March 17, 2021
Additionally, Buchanan tweeted an image that could sing. Even though the files he attached looked like valid images when previewed, downloading and changing the extension resulted in different content from the same file. He explained the whole process here.
In an email interview for security researcher Ax Sharma, Buchanan stated that
Twitter does compress images, most of the time, but there are some scenarios where they don’t. Twitter also attempts to strip any non-essential metadata, so any existing ‘polyglot file’ techniques wouldn’t work. The new trick which I discovered, is that you can append data to the end of the ‘DEFLATE’ stream (the part of the file that stores the compressed pixel data), and Twitter will not strip it.
This is not the first time that Buchanan used steganography to distribute a large ZIP file on Twitter. In 2018, he uploaded the Complete Works of William Shakespeare into a JPEG image of the playwright which he then shared in a tweet. The image incorporated a RAR copy of the plays in HTML format. Pretty impressive, wouldn’t you say?
Assuming this all works out, the image in this tweet is also a valid ZIP archive, containing a multipart RAR archive, containing the complete works of Shakespeare.
This technique also survives twitter’s thumbnailer 😛 pic.twitter.com/P0Owq9abRC
— Dаvіd Вucһаnаn (@David3141593) October 29, 2018
However, when attackers use steganography, they choose to modify simplistic images to avoid corrupting the data. Last year, hackers have hosted their images on legitimate services like Imgur which were later used to calculate malicious Cobalt Strike payload, a legitimate red team tool extensively used by threat actors, allowing them remote access to the target machines.
Although they may seem stealthy at the surface level, it’s important to understand how exactly these attacks work so malware families can be detected and blocked.