MARKETING SPECIALIST

This Tuesday, we reported that hackers are now using steganography to hide credit card data inside JPG files. The process involves hiding malicious code inside an image or a music file’s source code. Among hacking groups, the technique is not very common because it’s incredibly difficult to introduce text inside an image’s source code without corrupting the actual image file.

However, it was recently revealed that threat actor ObliqueRAT infiltrates into victims’ endpoints through steganography, and, what’s more, these images can also be hosted on Twitter.

Researcher David Buchanan has recently revealed a method of hiding up to 3 MB of data within a Twitter image. He attached example images to his tweets which contained entire ZIP archives and MP3 files hidden within:


Additionally, Buchanan tweeted an image that could sing. Even though the files he attached looked like valid images when previewed, downloading and changing the extension resulted in different content from the same file. He explained the whole process here.

In an email interview for security researcher Ax Sharma, Buchanan stated that

Twitter does compress images, most of the time, but there are some scenarios where they don’t. Twitter also attempts to strip any non-essential metadata, so any existing ‘polyglot file’ techniques wouldn’t work. The new trick which I discovered, is that you can append data to the end of the ‘DEFLATE’ stream (the part of the file that stores the compressed pixel data), and Twitter will not strip it.

Source

This is not the first time that Buchanan used steganography to distribute a large ZIP file on Twitter. In 2018, he uploaded the Complete Works of William Shakespeare into a JPEG image of the playwright which he then shared in a tweet. The image incorporated a RAR copy of the plays in HTML format. Pretty impressive, wouldn’t you say?

However, when attackers use steganography, they choose to modify simplistic images to avoid corrupting the data. Last year, hackers have hosted their images on legitimate services like Imgur which were later used to calculate malicious Cobalt Strike payload, a legitimate red team tool extensively used by threat actors, allowing them remote access to the target machines.

Although they may seem stealthy at the surface level, it’s important to understand how exactly these attacks work so malware families can be detected and blocked.

Hackers Use Steganography to Steal Credit Card Data from Compromised Stores

ObliqueRAT Infiltrates into Victims’ Endpoints Using Malicious Documents

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP