December 22, 2022 HAWKEYE

Using Steganography to Hide Malware – Witchetty APT Case Study

Steganography has been used in the real world on the Windows and macOS operating systems. Attackers have been detected to send harmful JavaScript, carry crypto miners, and employ steganography to hide portions of ransomware attack code.


Code can be concealed using steganography, for example, inside an image file. Malicious actors can use this technique to compromise devices by displaying an image on a website or sending an image over email. This strategy, commonly referred to as stego, involves hiding messages or information inside other non-secret text, inside a “carrier” message.

Steganography does not accomplish the enormous volumes that cybercriminals often want because of its limited distribution mechanism, which translates into low frequency. However, there are several places to find image steganography toolkits, and thousands of free programs are available. There is no need for programming to use these tools, some of them are simply drag-and-drop. This implies that anyone using image steganography maliciously has the potential to abuse it.

Working of Image Steganography

Malicious code can easily be hidden in digital documents by hackers. A common JPEG shot, for instance, has many megabytes of pixel data, which enables an attacker to change the number of pixels and insert malicious code. It would take a very long time for computers to scan every image for concealed data, especially when the threat is unknown. This is because the color value differences between altered and unaffected pixels are so slight that human eyesight cannot detect them.

The most popular technique employs a tool called steghide. Hackers frequently conceal payloads inside an image’s pixels when using steghide. A payload is Base-64 encoded and concealed within the metadata by the hacker. Given that the certificate field has an indefinite length and that Base-64 encoding is usually used in this field for certificates, it is frequently added under the certificate metadata field.

Another approach is to merely append a string to the file’s end. The image can still be displayed normally after doing this, and its visual look is unaffected.

Past attacks using steganography

Steganography has been used in the real world on the Windows and macOS operating systems. Attackers have been detected to send harmful JavaScript, carry crypto miners, and employ steganography to hide portions of ransomware attack code. Here is a quick list of the main offenders.

  • Malicious JavaScript is concealed in pictures, text, and HTML files by the malware AdGholas.
  • Malicious code is included in picture files by Cerber.
  • PNG LSBs were used by DNSChanger to conceal the Key for AES encryption.
  • PNG-formatted banner adverts with malicious code were used by stegano.
  • Stegoloadr (also known as “Lurk”) is malware that concealed an encrypted URL to send later-stage payloads using both steganography and cryptography.
  • White PNG files used by Sundown were used to obfuscate exploit code or leak user data.
  • SyncCrypt ransomware concealed a portion of its core code in picture files.
  • HTML comment tags on an HTTP 404 error page were used by TeslaCrypt to contain C2 server commands.
  • Vawtrak, also known as “Neverquest,” concealed a URL in the LSBs of favicons so that a malicious payload can be downloaded.
  • A JPEG file with concealed data was appended with data by Zbot.
  • Chinese spyware called ZeroT employed steganography to conceal malware in a picture of Britney Spears.

Image Steganography used by Lokibot

Steganography is used by the malicious software LokiBot to conceal its files. The malware disguises itself as a.jpg and.exe file to be installed. The.jpg file opens, revealing information that LokiBot will require when put into use. The malware stores the image, the.exe file, and a Visual Basic script file that launches the LokiBot file in a directory that it creates. The malware may be run by the VBScript file interpreter thanks to the script’s usage of a decryption method to extract the encrypted code from the image. This gives the hackers the ability to change the script or the execution method whenever they choose.

APT Witchetty Case Study

ESET discovered Witchetty for the first time in April 2022 and determined that it was one of three sub-groups of TA410, a large cyberspying operation with some connections to the Cicada group (aka APT10). Two pieces of malware, a first-stage backdoor called X4 and a second-stage payload called LookBack, were used in Witchetty’s operations. Governments, diplomatic missions, NGOs, and business/manufacturing companies were among the targets, according to ESET.

The group has still used the LookBack backdoor, but it also appears to have added a few new pieces of malware to its arsenal. Backdoor.Stegmap extracts its payload from a bitmap image via steganography. Steganography can be used to cover malicious code in seemingly innocent-looking image files, despite attackers rarely employing it.

A bitmap file is downloaded from a GitHub repository by a DLL loader. The file seems to be nothing more than an outdated Microsoft Windows logo. The payload, on the other hand, is concealed within the file and is unlocked using an XOR key.

By disguising the payload in this way, the attackers were able to host it on a reliable, cost-free service. Downloads from trusted hosts like GitHub are much less likely to cause warnings than downloads from a command-and-control (C&C) server that is under the authority of an attacker.


One of the various strategies threat actors use to get around AV security software is to conceal harmful code in photos and other payloads. No matter the methods employed, the objectives of malware writers are always the same: to remain on the endpoint, move across the network, and gather and exfiltrate user data. Organizations must first recognize that these attacks are highly sophisticated and that no amount of phishing awareness training will adequately prepare end users to recognize these attacks. In order to stop these kinds of attacks from compromising company data and networks, security solutions must be implemented that completely eliminate the end-user from the equation.

For the threat described here, an effective counter-steganographic kill chain must have the following tools:

  • Keep up with steganographic and other threat innovations by using threat intelligence.
  • Examine and verify malware that may be steganographically hidden.
  • Examine programs and other code for any hidden malicious content.
  • Block traffic carrying known steganographic messages.
  • Prioritize, expedite, and patch policy controls and vulnerabilities.
, , , , ,


We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.