Description
Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.
Duqu was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu)
By the end of 2017, a threat group used Invoke-PSImage to hide PowerShell commands in an image file (.png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)
Platforms
Threat Groups (9)
| ID | Group | Context |
|---|---|---|
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) has used steganography to hide shellcode in a BMP image file.(Citation: TrendMicro EarthLusca 202... |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) uses steganography to send images to users that are embedded with shellcode.(Citation: Talos Group123)(... |
| G0127 | TA551 | [TA551](https://attack.mitre.org/groups/G0127) has hidden encoded data for malware DLLs in a PNG.(Citation: Unit 42 TA551 Jan 2021) |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used steganography to hide stolen data inside other files stored on Github.(Citation: CISA AA21... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has stored obfuscated JavaScript code in an image file named temp.jpg.(Citation: ClearSky MuddyWat... |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has used steganography to hide malicious code, typically in the resource section of executable files... |
| G0138 | Andariel | [Andariel](https://attack.mitre.org/groups/G0138) has hidden malicious executables within PNG files.(Citation: MalwareBytes Lazarus-Andariel Conceals ... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has used JPG files with encrypted payloads to mask their backdoor routines and evade detection... |
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used steganography in multiple operations to conceal malicious payloads.(Citation: Trend Mi... |
Associated Software (19)
| ID | Name | Type | Context |
|---|---|---|---|
| S0495 | RDAT | Malware | [RDAT](https://attack.mitre.org/software/S0495) can also embed data within a BMP image prior to exfiltration.(Citation: Unit42 RDAT July 2020) |
| S0139 | PowerDuke | Malware | [PowerDuke](https://attack.mitre.org/software/S0139) uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryp... |
| S0513 | LiteDuke | Malware | [LiteDuke](https://attack.mitre.org/software/S0513) has used image files to hide its loader component.(Citation: ESET Dukes October 2019) |
| S0470 | BBK | Malware | [BBK](https://attack.mitre.org/software/S0470) can extract a malicious Portable Executable (PE) from a photo.(Citation: Trend Micro Tick November 2019... |
| S0511 | RegDuke | Malware | [RegDuke](https://attack.mitre.org/software/S0511) can hide data in images, including use of the Least Significant Bit (LSB).(Citation: ESET Dukes Oct... |
| S0471 | build_downer | Malware | [build_downer](https://attack.mitre.org/software/S0471) can extract malware from a downloaded JPEG.(Citation: Trend Micro Tick November 2019) |
| S0439 | Okrum | Malware | [Okrum](https://attack.mitre.org/software/S0439)'s payload is encrypted and embedded within its loader, or within a legitimate PNG file.(Citation: ESE... |
| S0234 | Bandook | Malware | [Bandook](https://attack.mitre.org/software/S0234) has used .PNG images within a zip file to build the executable. (Citation: CheckPoint Bandook Nov 2... |
| S0659 | Diavol | Malware | [Diavol](https://attack.mitre.org/software/S0659) has obfuscated its main code routines within bitmap images as part of its anti-analysis techniques.(... |
| S0458 | Ramsay | Malware | [Ramsay](https://attack.mitre.org/software/S0458) has PE data embedded within JPEG files contained within Word documents.(Citation: Antiy CERT Ramsay ... |
| S0644 | ObliqueRAT | Malware | [ObliqueRAT](https://attack.mitre.org/software/S0644) can hide its payload in BMP images hosted on compromised websites.(Citation: Talos Oblique RAT M... |
| S0483 | IcedID | Malware | [IcedID](https://attack.mitre.org/software/S0483) has embedded binaries within RC4 encrypted .png files.(Citation: Juniper IcedID June 2020) |
| S1145 | Pikabot | Malware | [Pikabot](https://attack.mitre.org/software/S1145) loads a set of PNG images stored in the malware's resources section (RCDATA), each with an encrypte... |
| S0469 | ABK | Malware | [ABK](https://attack.mitre.org/software/S0469) can extract a malicious Portable Executable (PE) from a photo.(Citation: Trend Micro Tick November 2019... |
| S0654 | ProLock | Malware | [ProLock](https://attack.mitre.org/software/S0654) can use .jpg and .bmp files to store its payload.(Citation: Group IB Ransomware September 2020) |
| S0231 | Invoke-PSImage | Tool | [Invoke-PSImage](https://attack.mitre.org/software/S0231) can be used to embed a PowerShell script within the pixels of a PNG file.(Citation: GitHub I... |
| S0565 | Raindrop | Malware | [Raindrop](https://attack.mitre.org/software/S0565) used steganography to locate the start of its encoded payload within legitimate 7-Zip code.(Citati... |
| S0473 | Avenger | Malware | [Avenger](https://attack.mitre.org/software/S0473) can extract backdoor malware from downloaded images.(Citation: Trend Micro Tick November 2019) |
| S0518 | PolyglotDuke | Malware | [PolyglotDuke](https://attack.mitre.org/software/S0518) can use steganography to hide C2 information in images.(Citation: ESET Dukes October 2019) |
References
- Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018.
- Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018.
Frequently Asked Questions
What is T1027.003 (Steganography)?
T1027.003 is a MITRE ATT&CK technique named 'Steganography'. It belongs to the Stealth tactic(s). Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks,...
How can T1027.003 be detected?
Detection of T1027.003 (Steganography) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1027.003?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1027.003?
Known threat groups using T1027.003 include: Earth Lusca, APT37, TA551, Leviathan, MuddyWater, APT-C-36, Andariel, Tropic Trooper.