Bachelor Degree Project What’s the deal with Stegomalware?

(1)

Author: Kristoffer Björklund Supervisor: Ola Flygt

Semester: VT 2021

Subject: Computer Science

Bachelor Degree Project

What’s the deal with Stegomalware?

- The techniques, challenges, defence and

landscape.

(2)

Abstract

Stegomalware is the art of hiding malicious software with steganography. Steganog- raphy is the technique of hiding data in a seemingly innocuous carrier. The occurrence of stegomalware is increasing, with attackers using ingenious techniques to avoid detection.

Through a literature review, this thesis explores prevalent techniques used by attackers and their efficacy. Furthermore, it investigates detection techniques and defensive mea- sures against stegomalware. The results show that embedding information in images is common for exfiltrating data or sending smaller files to an infected host. Word, Excel, and PDF documents are common with phishing emails as the entry vector for attacks.

Most of the common Internet protocols are used to exfiltrate data with HTTP, ICMP and DNS showed to be the most prevalent in recent attacks. Machine learning anomaly-based detection techniques show promising results for detecting unknown malware, however, a combination of several techniques seems preferable. Employee knowledge, Content Threat Removal, and traffic normalization are all effective defenses against stegomalware. The stegomalware landscape shows an increase of attacks utilizing obfuscation techniques, such as steganography, to bypass security and it is most likely to increase in the near future.

Keywords: Stegomalware, steganography, information hiding, covert channel

(3)

Preface

I want to give a big thank you to Ola who supervised and helped me throughout my work on my thesis. Without his guidance and help, this would not have been possible. I also want to thank my friend Niko who always was there to discuss ideas and to give support during this process. Finally, I of course want to express my appreciation of the support and words of encouragement I have received from my family and partner.

(4)

techniques? . . . 37 5.2.1 Challenges when detecting hidden information in digital media . . . . 37 5.2.2 Challenges when detecting covert channels . . . 38 5.2.3 Stegomalware detection techniques . . . 38 5.3 What is the state of the art when it comes to defending against stegomalware? 39 5.4 How common is the use of stegomalware in modern attacks? . . . 39

6 Discussion 41

7 Conclusion and Future Work 43

7.1 Scientific contribution . . . 43 7.2 Future Work . . . 43

References 45

(6)

1 Introduction

The occurrence of malware is on the rise in our digital landscape [1]. Steganography, in the digital realm, is the science of hiding information in digital structures [2]. This has given rise to hiding malware with the use of steganography to avoid detection. More sophisticated cyberattacks have become more common as a result [3]. This has led to the EU funding projects such as CUING(Criminal Use of Information Hiding) and SIMGARL(Secure Intel- ligent Methods for Advanced Recognition of Malware and Stegomalware). CUING reports that between 2011 and 2019, the incidents that involve the use of stegware has increased [4].

Stating that it is likely that there is more stegware that is yet to be discovered.

The aim of this thesis is to investigate the techniques used to hide stegomalware, how to detect and defend against the threat as well as to investigate the current landscape of stegomalware.

To achieve this, a literature review was performed using peer-reviewed articles, blog posts, news articles, threat reports and malware analysis documents.

The results showed that images, Word, Excel and PDF documents are the most common carriers when it comes to digital media files. Data embedded in network traffic was most found to be in HTTP and DNS traffic, however ICMP, TCP and UDP was also used. The human factor, the use of common protocols and the need for a combination of detection techniques were identified as challenges for detecting stegomalware. Defending against stegomalware required a combination of multiple factors such as trained employees and updated systems. The current landscape showed several newly reported attacks that use steganographic techniques to hide malware.

1.1 Background

Steganography literally means "covered writing/secret writing”, derived from the Greek word Steganographia [5]. It is the process of concealing information in a seemingly innocuous cover media. It’s far from a new concept but has found new use case in the cyber world as a key feature to obfuscate malicious software.

Such software, with malicious intent is called malware and has been around since the 80’s.

It is commonly developed by cybercriminals to leak sensitive information, damage computer systems or steal banking information for example. Malware is a term used to summarize viruses, worms, spyware and ransomware to name a few. In recent times, with the rise of more sophisticated malware, the use of steganography has also increased.

Combining steganography and malware has given rise to a new threat. Stegomalware/stegware is a term used for malware that has been hidden with the use of steganographic techniques.

Since the malware is hidden within another media, traditional anti-malware software can not detect it. There are a few different techniques for hiding malware to avoid detection. Mal- ware can for example be hidden in the pixels of an image, included in document macros or be embedded in network packets.

Although steganography can be combined with malware for malicious purposes, steganography in its self can be used with good intent as well. It is a useful tool in countries where free speech is not a given right, to be able to communicate freely. Steganography can also be used by journalists reporting news from countries where the government might want to censor what is reported.

(7)

1.2 Related work

The EU funded project SIMARGL categorises stegomalware into three different groups [4].

Group 1 is defined as malware that uses some kind of digital media file as the carrier for secret data. Group 2 is defined as malware that embeds secret data by modifying the file structure of a digital image. Lastly, the third group is defined as malware that utilises network traffic and injects the secret data there.

Mazurczyk and Caviglione [6] also brings up different group classifications. They have two similar groups, modifying a digital image and injecting data into network traffic. How- ever, their third group classification includes methods that modulate shared hardware/software resources to hide information.

An overview of current malware, including information hiding techniques, as well as methods for detecting are mentioned in [7]. In [7] they mention how steganography can be used to hide malware as well as how steganography can be used together with ransomware and exploit kits to make them more advanced.

Using a digital media file as a carrier has been used in several reported cyberattacks [8].

The most popular type of file being a digital image. This technique can be used for many different purposes, for example to send a URL to malware that has already infected a computer which can be used to download additional code or instructions. The whole malicious code can also be sent in this manner [8].

Exploit kits are automated threats that can be anything from ransomware to rootkits [9].

Combining steganography techniques with exploit kits has become a method to allow users of an exploit kit to avoid detection more easily. In 2016, the first exploit kit to implement information hiding was Stegano/Astrum exploit kit [7]. This was used to embed malware into ads on websites. This is referred to as "malvertising".

Hiding information within legitimate network traffic for example is referred to as covert channels/network steganography [10, p. 41-44]. These two definitions are used interchange- ably, which will be discussed in later chapters. Several different techniques have been proposed to use different protocols such as TLS [11] and IPv6 [12]. In 2003, Szczypiorski proposed a new method that would intentionally use the wrong checksums within transmission frames for covert communication [13].

[14] presents a technique to detect hidden communication within covert channels. Using histograms of time relations between IP packets, attacks using network steganography can be detected. [15] shows a way to detect payload that has been embedded into a PDF document using a tool called OpenPuff. By looking for certain hexadecimal values, they show that with a short script, they can confidently detect the presence of hidden information.

In [16] they present a detection method involving the Linux kernel. By leveraging the extended Berkeley Packet Filter(eBPF), the authors can monitor and trace the behavior of software processes and network traffic. They conduct two tests, one with colluding applications and another test with a covert channel implemented in IPv6 traffic.

Mobile malware has reportedly increased [1]. In the case of smartphones local covert channels can be set up between two colluding applications with the intention of stealing personal information. In [17] the authors present a method for detecting these covert channels by measuring the energy consumed by the device. The tests performed by used two different detection methods based on artificial intelligence.

(8)

1.3 Problem formulation

The field of stegomalware research is growing. There is therefore quite a lot of research available online. Articles have given summaries of steganography techniques and different stegomalware methods [7, 18], however these have given more of a birds eye view. To the best of my knowledge, no report has given a summary in high detail nor talked about the efficacy of different techniques and the main challenges arise when it comes to the detection of stegomalware using these techniques.

Defending oneself against stegomalware goes hand in hand with the detection of stegomalware. However, this is not discussed much in the literature. Moreover, attacks mentioned in peer-reviewed articles are often several years old and no peer-reviewed article I found during research has discussed the occurrence of stegomalware in the newest attacks reported.

RQ1 What are the most prevalent techniques used for hiding stegomalware and how effective are they?

RQ2 What are the main challenges in detecting stegomalware hidden with these techniques?

RQ3 What is the state of the art when it comes to defending against stegomalware ?

RQ4 How common is the use of stegomalware in modern attacks?

1.4 Motivation

The occurrences of malware is increasing [1] and the usage of steganographic techniques in combination with malware is being spotted more often in the wild [4]. Since this trend is most likely only going to increase as the cyberattacks become more sophisticated, the need for security personnel to be informed of the modern landscape becomes more important.

The aim of this thesis is to help inform the target group and others of the threat that is stegomalware in an attempt to give this threat the attention that is required when it comes to security. An arms race is happening right now between the developers of malware and the cyber security community [7]. Falling behind when it comes to detecting and defending against stegomalware may lead to devastating events.

1.5 Scope/Limitation

In this thesis I limit myself to malware obfuscated with steganographic techniques and not other types of obfuscation techniques seen in [19] for example. The types of steganographic techniques most widely used and those that will be discussed in this thesis are Digital media steganography(image, text, audio, video for example) and network steganography(covert channels).

1.6 Target group

This research will focus on analyzing the various methods and techniques used for stegomalware and what challenges are involved with the detection of such techniques. Moreover, the defensive strategies against stegomalware will be discussed as well as the roll stegomalware

(9)

plays in modern cyberattacks. This will be achieved with a literature review. This thesis aims to provide IT-security professionals with information about how an attacker may use these techniques to avoid detection upon intrusion or once inside their systems or network. More- over, this thesis can be ground for researchers within the IT-security community as well as developers for software that can detect this type of threat.

(10)

1.7 Outline

The rest of this thesis is organized as follows. In Chapter 2 the methodology chosen, research method and ethical considerations are introduced and discussed. Chapter 3 introduces the theoretical background, discussing all theory behind the concepts needed for understanding the area of stegomalware. Chapter 4 discusses the results found from the literature review, with each research question answered in order. In Chapter 5 analysis of the results presented in Chapter 4 is performed. Chapter 6 discusses areas of interest and observations made during work on this thesis. In Chapter 7 results are quickly summarized and concluded and possible Future Work is introduced.

(11)

2 Method

This chapter will bring up the scientific method that was chosen to answer the research questions. This thesis used a literature review.

2.1 Literature review

A literature review was performed to answer the research questions for this thesis. There are articles that describe the common techniques used to hide malware with the use of steganographic techniques, however, to the best of my knowledge, no article describes these techniques as well as their effectiveness in a single report.

The articles were chosen if they were from trusted databases. Blog posts and news articles were used in this thesis if what was claimed could be confirmed from several sources to make sure that no misinformation was presented. Moreover, Threat reports were included if they were from well known organizations within the IT-security community. The same reasoning went into choosing the malware analysis reports.

The table below shows the types of sources used as well as how many of each are included in this thesis.

Peer-reviewed articles 61 Blog posts/ News articles 25

Threat reports 7

Malware analysis 6

Several databases were searched when looking for articles for this thesis. They were as followed, Google Scholar, Web of Science, Science Direct, Research Gate, IEEE, ACM Dig- ital Library, SIMARGL(Secure Intelligent Methods for Advanced Recognition of Malware and Stegomalware) project and CUING(Criminal Use of Information Hiding). The search terms revolved around "stegomalware", "stegomalware detection" and "stegomalware techniques".

Articles that research information hiding techniques for malware but did not use steganographic techniques were excluded since they use other methods to obfuscate their existence and would therefor be outside of the scope of stegomalware.

Since it takes time for peer reviewed articles to get published, it is hard to find articles that mention the latest news. To tackle this information gap, blog posts and news articles were also searched to find the newest cyberattacks that involve stegomalware. These were found by normal Google searches however, the source chosen was also checked to make sure that no misinformation was presented. Furthermore, threat reports were used to be able to provide information about current and recent landscapes. Malware analysis publications were also used to gain a deeper understanding of how certain attacks worked. All sources used were in English.

The reason for not doing a systematic literature review for this work is because the area in which to find information would most likely be too small. Being able to search in many places with blog posts and news articles as available information allows this work to consider information provided not only from peer reviewed articles when it comes to recent cyberattacks for example.

(12)

2.2 Reliability and Validity

Following and performing searches as described in the previous section, the same information and results will be presented giving this thesis reliability on the results of the literature review.

When looking at blog posts and new articles, I always made sure to find other posts that state the same things that another post may have stated. This is to limit the risk of a blog post or news article to post misleading or false information. This is a bigger risk than when reading peer reviewed articles of course. Presentations where also used a references but were only used if they were from known researchers within the field of stegomalware research or other trusted sources.

2.3 Ethical considerations

When it comes to the ethical considerations for this thesis, no practical work with malware is displayed which may make it seem like this discussion is not that significant. However, when it comes to the subject of talking about malware and stegomalware specifically, there is a discussion to be made. Even if no implementation is proposed, there are articles used a references that have implemented different techniques and is therefore subject to the ethical consideration. The information provided in this thesis is for education purposes only and any use of stegomalware with malicious intent is illegal.

When proposing a new method for hiding malware with steganographic techniques and presenting an implementation for this, the ethical thing would be to along with the implementation also provide ways of detecting the use of the proposed technique.

As stated, no experiments have been done for this thesis. There is however a discussion made around implementing tools to detect stegomalware, specifically involving GDPR com- pliance [20]. A point that is brought up is that when detecting malware/stegomalware, the data being processed by the tools is most likely also private/personal data. This means that processes or elements that are needed for companies to be GDPR compliant, is also affected by the same law. This is of course only applicable to states or companies that are within or handle information about citizens residing in the EU.

(13)

3 Theoretical Background

This chapter will introduce the theory needed to understand the area of stegomalware. Steganog- raphy and the different types of steganography will first be introduced. Image steganography, although part of digital media file steganography, will be discussed separately since it is a more common and more widely discussed technique. Lastly steganalysis followed by Mal- ware, Advanced Persistent Threats(APTs), Command & Control and Effectiveness will be introduced.

3.1 Steganography

Information hiding is a term that both encompasses steganography and watermarking [21].

Steganography and watermarking can sometimes be hard to differentiate since they share many similarities. Watermarking is often used to verify the ownership and authenticity of a digital image for example. The focus of this section and this thesis is however on steganography. Note the figure below (Figure 3.1) how the two areas are separated. It will help to differentiate watermarking and steganography.

Figure 3.1: Image recreated from [21]

Steganography is the art of hiding information. When it comes to the digital world, information is hidden in files or other digital structures [2]. As seen in the figure above, it is the realm of technical steganography that is discussed in this thesis.

However, steganography is nothing new. It has been used since ancient Greece where they would send secret messages with wax-covered tablets. They would scrape of the wax, write a message and then apply the wax once more to make the tablet look unused [5]. A carrier in the case of digital steganography can for example be an image, a PDF document, network packet or an audio file. Looking at the example in ancient Greece with wax tablets, then

(14)

the tablet would be seen as the carrier. Unlike cryptography which hides the context of a message, steganography is all about hiding the existence of the message itself. Even if one were to send an encrypted message, the fact that the message is encrypted would raise suspicion and make the third party aware that secret or sensitive information is being sent. If one were to send information using a steganographic technique, if done correctly, the third part would never know that sensitive or secret information was sent i the first place. The goal of steganography is security through obscurity [2].

It is also possible to use a combination of steganography and cryptography(also possibly compressing the message so that it will take up far less space in the carrier). To do this one would have a message, encrypt it and then embed it. If a third party in this case were to intercept the file where the information is embedded, as well as be able to extract the information, then it would still be encrypted and would not be able to be read by the third party.

A few components are apart in the creation of a stego-carrier (carrier media with a steganographic payload). As stated by Johnson and Jajodia [22], a cover media and the embedded message creates a stego-carrier. The use of a key, or stegokey in this case, might also be used to add an additional layer of security. This may be a shared secret such as a password. They also show a simple formula for how this may look:

Cover medium+ embedded message + stegokey = stego-medium [22]

This basic formula is applicable to any type of steganographic technique. This will be discussed in more detail in the following sections.

3.1.1 Image Steganography

Image steganography, as the name would suggest, is using an image as the carrier to hide information. Using images is the most popular choice of carrier media [23]. If applying the formula provided above to image steganography the resulting stego-medium would in this case be a stego-image. This will be used in this section to describe an image after information has been embedded.

The field of image steganography is very wide. It includes many different techniques when it comes to how the information is embedded into an image. Image steganography can be split into different groups i.e. Spatial/Image Domain, Transform Domain, Spread Spectrumand Model based steganography [22, 24, 25, 26]. Some articles have divided or included more groups than others, however only spatial and transform domain techniques will be discussed in this section as they are commonly used in steganography tools.

There are specific techniques that are within the spatial and transform domain. Starting with the transform domain steganography, information is hidden by altering the coefficients in the frequency domain. This can for example be Discrete Cosine Transform (DCT), Discrete Fourier Transform (DFT) or Discrete Wavelet Transform (DWT) [27].

Moving on to the spatial domain one of the most widely discussed techniques is Least Significant Bit(LSB) steganography. LSB methods are easy to implement which leads to them often being used in free steganography tools that you can find online [28]. The basic idea behind LSB steganography is embedding the desired message by changing the least significant bit of the color channels in each pixel of an image. If this method is correctly

(15)

used, the changes to the image will be imperceptible to the human eye. There are two types of LSB steganography: LSB replacement and LSB matching. LSB matching is deemed more secure than LSB replacement, i.e. it is harder to detect the presence of embedded information if it is hidden using LSB matching. [28].

No matter if LSB matching or LSB replacement is chosen, the desired message is converted into a stream of bits and it is those bits that then are embedded. The way that LSB matching works is that you take each pixel of the cover image (also possible to use a shared secret key in order to pick each pixel in a pseudo-random order), then you check if the LSB of the chosen pixel matches the next bit of the message. If it is a match you do nothing and continue the process. If the bits do not match you randomly add or subtract one from the pixel of the cover image. If the size of the message contain fewer bits than the number of pixels, the changes will be spread evenly across the entire image. LSB replacement however simply overwrites the LSBs of the cover pixel [28].

Looking at an RGB pixel, it consists of 3 bytes, where 1 byte represent a color. For example if a pixel has the value of 0,0,255 then the pixel is entirely blue. Looking closer at each byte it looks like this:

Figure 3.2: Representation of a byte

The numbers on top represents the value of each bit. When a pixel has the value 0,0,255 then the blue pixel has all values as 1 as shown in Figure 3.2. The first bit, with value 1, is the least significant bit and that is what is changed when performing LSB steganography. Since there are 3 bytes per pixel, this means we can modify 3 bits per pixel without there being a perceptible change to the image. Looking at the two squares of blue in Figure 3.3 there is no noticeable difference between them.

(16)

(a) 0,0,255. (b) 0,0,254.

Figure 3.3: Blue color with 1 bit difference.

When choosing an image to embed a message in, it should be chosen wisely. Taking an image from Google or other places online is not the smartest idea because if the stego-image is captured and the image used as the carrier is found as well, then it is possible to compare them when performing steganalysis. Steganalysis will be discussed in a later section. A personally taken image is the best way to go and then to discard the cover image to make sure that it can not be uncovered later on.

Since images are widely available and often posted online on places like Facebook or other image sharing websites, it is easy to upload a stego-image intended for a specific recip- ient without raising suspicion.

3.1.2 Network Steganography

Before going into detail about network steganography, a discussion is to be made about the term network protocol steganography and the term covert channels. As stated in [10, p. 42], the distinction between the two terms are not well grounded. Covert channels are defined as communication channels that were not intended nor designed to be used to transfer information at all. Covert channels were originally defined by Lampson [29]. One thing to be said is that steganography and covert channels do not describe or encompass different hiding techniques. It is the evolution of the data carrier used that distinguish them. Hiding the use of a specific protocol with another protocol is also referred to as tunneling.

The two terms mentioned can be described both as network steganography. The definition and use of the term network steganography in this thesis will follow the one given in [10, p.

41] i.e. " that network steganography techniques, as other steganography techniques, create covert (steganographic) channels for hidden communication, but such covert channels do not exist in communication networks without steganography (only the possibility for such channels exist a priori)".

Much like image steganography where the aim is to hide a secret message without significantly altering the carrier, network steganography aims to hide information in normal

(17)

transmission without significantly altering the carrier. Since network packets cannot be seen by humans in the way images can for example, it is designed to mainly fool network devices so that is it not to be detected.

In the field of network steganography, there are carriers and subcarriers. A carrier is an overt traffic flow that goes between the sender and receiver of the hidden information.

A carrier can poses many places in where to hide information. This is what is called a subcarrierand is a "place" or timing of certain "events" of a carrier. It can for example be padding, header fields or even specific sequence of packets. Subcarriers are usually based on timings or storage to act as the covert channel [10, p. 45].

Sending secret information with the use of specific packets can be to used different packets to signify bits. For example one might use the UDP protocol to signify "1" and ICMP to signify "0". Looking at Figure 3.4, sending the packets in this order would send the bits

"110101". It is also possible to encode information like this by using multiple TCP connections for example and use timings of packets in the different streams to signify "1" or "0" [10, p. 46-47].

Figure 3.4: Transmission using different protocols

There are three features that can be used to characterize network steganography methods. They are steganographic bandwidth, undetectability and robustness. Steganographic bandwidth defines how much data can be sent per time unit (depends on the method). Un- detectability defines if the third party or an adversary is able to detect the steganographic payload within the carrier. Lastly, robustness defines the amount of alteration that the secret message can take without being destroyed or the ability for a channel to persist through fil- ters for example [10, p. 48]. These characteristics can also be applied to other steganography methods.

As mentioned before, it is possible to use different fields in protocols to hide information, for example in the HTTP header fields, TCP header fields or in different IPv6 header fields [12]. This might make one think about why we don’t design "steganography-free" protocols.

It is hard as well as very impracticable since it would unreasonably limit the extensibility and/or the functionality of the protocol [10, p. 46]. Network steganography can be achieved using the most simple protocols. However using more sophisticated or complex protocols will often present more opportunities to hide information.

(18)

3.1.3 Digital Media Steganography

This section will briefly discuss steganography using other digital media such as audio files and PDF documents.

Unlike image or video steganography that exploits the limitations of the Human Vi- sual System (HVS), audio steganography exploits a property of the Human Auditory Sys- tem(HAS), called the masking effect. This effect is that large-amplitude stimulus makes it so that we are less sensitive to smaller stimuli [30]. Like image steganography there are techniques that reside in different domains like the temporal and transform domain. Furthermore, much like image steganography, there is LSB steganography within this area as well. Taking an audio sample of 16 kHz you are able to embed 16 kbps [31].

Text steganographyis the technique of hiding information in a text document, such as a Word document, and is considered hard since a text document does not contain much redundant information [32]. Small alterations can also have a large impact on the visual aspect of a file. There are three main categories that can be pulled from text steganography and they are based on the embedding technique used. First, character-level embedding will directly embed secrets using different characters inside the text document. This techniques also has two sub-categories, cover document necessary and character making.

Secondly, Bit-level embedding is similar to the types of bit level embedding mentioned in earlier sections. With this method, you take the message, convert it into bits by for example taking the binary representation of the ASCII values and then embed it into the document.

Lastly, mixed-type embedding takes a combination of the two aforementioned methods, by for example converting a message into bits, mapping the bits to letters and then embedding using character-level embedding.

The Portable Document Format (PDF) was developed by Adobe. Since it is a very popular document format, it has become used in the area of steganography. In [33] they present a method of using the ASCII value of Ao that becomes invisible to usual PDF readers. They proposed two different techniques, where you can either embed this between words or between characters in the PDF document. [34] brings up that the second technique increases the size of the PDF document compared to the original which is an obvious disadvantage.

Many different techniques and methods exist when it comes to PDF steganography and there are also tools that use PDFs such as OpenPuff. OpenPuff is however seen as insecure according to [15].

3.2 Effectiveness

The effectiveness of specific steganographic techniques can be classified in different ways.

This was briefly touched upon in Section 3.1.2 earlier. Generally when implementing different steganographic techniques there are a few main aspects to look out for. These are robustness, undetectability and steganographic bandwidth/hiding capacity.

Robustness means that a stego-object can withstand alterations without loosing or de- stroying the embedded payload. If an image with a secret message is exposed to various techniques such as cropping or transformation which leads to the message being unreadable, it would be classified as having low robustness. In regards to covert channels, good robustness can also be determined based on their survivability, e.g. their ability to persist in case of firewalls for example.

(19)

Undetectability is how good a steganographic techniques is at avoiding detection. A poorly implemented image steganography technique with too much payload may show visual distortions that are visually perceptible. This will of course lead to the secret communication being detected. Looking at undetectability for image steganography, it is important that images do not have any visual artefacts that can give away the presence of a secret message.

Using basic LSB steganography for example without embedding to much information will be sufficient to avoid visual inspection. However, when using statistical analysis of an image that has embedded data using LSB, techniques such as RS-analysis [35] to name one of many steganalysis techniques, can reliably detect embedded messages.

Steganographic bandwidthor hiding capacity is how much information can be embedded into a carrier. Steganographic bandwidth is a term more commonly used when talking about network steganography [10, p. 48]. The hiding capacity of different techniques can differ depending on where the data is hidden. As mention in Section 3.1.1, using LSB steganography for example will allow you to hide 3 bits per pixel without this being visually perceptible.

Therefor, having a larger resolution of an image will allow you to embed more data than using smaller images. When it comes to steganographic bandwidth, there are more factors to take into consideration. If you choose to create a covert channel by embedding secret messages in the Type of Service field of the IP header instead of establishing your own overt channel in which you embed your covert channel, then the steganographic bandwidth will most likely be smaller. The bandwidth also depends on the packet rate of a network for example. More packets per time unit sen will equal more information being able to be transmitted.

3.3 Steganalysis

Steganalysis is the art and science of detecting the use of steganography given a digital medium [36]. Just like steganography, there are many different techniques and the goal is to detect a hidden message and preferably be able to extract it. It is also possible to try to dis- tort or destroy hidden information to make it unusable to the receiver. Steganalysis techniques are often referred to as attacks.

There are different types of attacks. Visual attacks is as the name suggests, visually inspecting an image for example to try to identify visual artefacts. It can for example be to look at the color palette of a bitmap image and view the luminance. It is also possible to view images with a hex editor to find messages that might be appended after the EOF marker. This type of steganography is the most basic but also one of the easiest to detect.

However, as steganography techniques have become better, visual attacks are more or less useless. Therefore are statistical attacks much more common. These types of attacks looks at the statistics of images for example to see if the result deviates from what is considered to be "normal" behavior.

Jessica Fridrich et al [35] presented Regular-Singular (RS) analysis to detect the use of LSB steganography. They use different functions to categorize pixel groups(Regular, Singu- lar and Unusable). Depending on the resulting relation between the groups, the use of LSB steganography, as well as the length of the embedded message can be determined.

It is also possible to detect hidden messages by analysing the DCT coefficients mentioned earlier [37]. Looking at a JPEG image without an embedded message, a histogram of the DCT coefficients usually follows a Gaussian distribution. Looking at Figure 3.5, you can see that there is a generally smooth curve and clearly 0 with the highest amount of occurrences.

(20)

Looking at a histogram with an embedded message at full capacity, the histogram may look something like in Figure 3.6. It is directly clear how examining the DCT coefficients can lead to detecting a hidden message. However, there are better and worse embedding algorithms that make this less or more useful.

Machine learning is also being used to detect hidden messages or data. [38] uses machine learning to detect packed executables after converting a .exe file into a grey scale bitmap image. Although that this was used for executable files, it is possible to apply machine learning to virtually anything including all or most forms of steganography.

Figure 3.5: Histogram of a normal image. Recreated from [39]

(21)

Figure 3.6: Histogram with hidden message embedded at full capacity. Recreated from [39]

3.4 Malware

Malicious software (malware) is nothing new. There are many different types of malware such as, cryptojacking, ransomware, spyware, worms and viruses for example. According to McAfee [40] ransomware, mobile malware and coin miner malware, to name a few, have all increase in the last year with an overall increase in malware attacks.

Ransomware is malware that is used to force people to pay criminal actors. First, a machine is infected by phishing or malvertisement for example. Malvertisement is adver- tisement on a website for example that has embedded malware. Then the machine can have its files or hard drives encrypted, trying to force the owner of the machine to pay a ransom to have their files decrypted. The widely reported WannaCry malware was a form of ransomware. It is classified as the top priority threat by law enforcement according to Europol [41]. They also report that ransomware is becoming more sophisticated and more targeted than before. Ransomware-as-a-Service (RaaS) on the Darkweb has made it possible for less skilled cybercriminals to use Ransomware as a tool to gain money [41].

Cryptojacking is when an an unauthorized user abuses services or devices from a third- party to mine cryptocurrencies. It can for example use CPU power and bandwidth. There is both web-based cryptomining where the criminal actor has scripts running on a victims browser and the second type where the criminal actor has to have specific malware and infect the victim to be able to abuse their CPU power for example.

Spyware is malware that is installed on a victims machines and monitors different actions [42]. A victims web surfing habits as well as credentials such as passwords can be stolen.

Their internet habits can be sent back to the criminals and used to produce targeted advertise- ment. Unlike viruses and worms, spyware does not generally aim to cause damage or spread to other systems [43].

(22)

3.5 Malware detection

There are two broad categories of malware detection techniques: anomaly-based detection and signature-based detection [44]. Anomaly-based detection inspects a program and com- pares it to what it constitutes as "normal" behavior to determine if it is malicious or not.

Anomaly-based detection is closely related to behavior-based detection [7].Specification- baseddetection is similar to anomaly-based detection. It is rule-based but unlike anomaly- based detection that relies on machine learning, a security expert manually defines rules. It also assumes that any policy violation is malicious [7].

Signature-based detection looks at characteristics of a program that is being inspected to see if those characteristics match ones that are known to be malicious. Having a large database of signatures requires good management to maintain a proper rule set to make sure that the system does not have an excessive amount of false alarms. Signature-based detection is offer good protection against older but active threats but lack when it comes to new malware or threats as well as malware that is hidden [7].

Behavior-based malware detection is able to detect malicious behavior during run-time, processes that are unidentified as well as recognize the type of malware. The allows behavior- based detection to detect unknown malware [7]. There are certain behaviors that it can look for: installing rootkits, creating or executing files, disabling security features or protocols and modifying auto-start for example. There are a few different ways that behavior can be determined. The system can monitor network traffic, system calls as well as resource changes.

Behavior-based detection has to be adjusted to fit in the intended environment. Features have to be chosen such as network features (used port numbers, network usage, number of TCP packets with SYN flag on [7]), software features (event logs and system calls) and hardware features (battery monitoring, device information and access to IMEI of a smartphone).

Entropy-baseddetection is also a technique used for malware detection. This calculates the entropy of certain fields and compared them to a threshold. If the calculated value exceeds the threshold, then the object will be flagged as suspicious [45, 46].

3.6 Advanced Persistent Threats

Advanced Persistent Threats or APT are cyber attacks executed by sophisticated and well- resourced (often state funded) adversaries that are targeting high profile companies or gov- ernments [47]. In this paper, I adopt the definition given by NIST, which defines an APT as [48]: "An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives".

This definition gives a good idea over what distinguishes APTs from more common threats. Unlike a normal smaller attack with financial incentives and demonstrating its abilities, APTs always have specific targets and clear goals. Since the adversaries that use APTs

(23)

are well-resourced and organized, they are able to perform long-term attacks/campaigns against their targets with several repeated attempts. They also include using stealth techniques to avoid any detection that their target may have. The table below shows a comparison between more traditional attacks and APTs. Recreated from [47].

Traditional Attacks APT Attacks

Attacker Mostly single person Highly organized, sophisticated, determined and well-resourced group Target Unspecified, mostly individual

systems

Specific organizations, governmental institutions, commercial enterprises Purpose Financial benefits,

demonstrating abilities

Competitive advantages, strategic benefits

Approach Single-run, "smash and grab", short period

Repeated attempts, stays low and slow, adapts to resist defenses, long term

Image steganography is for example used in APT attacks. A recent report points to that the North Korean APT group named Lazarus, who is considered to be responsible for the WannaCry ransomware outbreak, seems to have hid payloads within BMP image files [49].

The company Malwarebytes also reported this after they identified a document on April 13, 2021 used to target South Korea [50]. The reporting suggests the attack starts with a Mi- crosoft Office document with text that lures the victims to activate macros in order to view the file’s content. This triggers a malicious payload. A pop-up message comes up and claims to be an old version of Office, but calls an executable HTA file that is compressed as zlib file within a PNG file. An HTA file is an HTML that can also contain VBScript or JavaScript code. When this is being decompressed, the PNG is converted to the BMP format, and when this happens, the executable HTA drops a loader for a Remote Access Tool(RAT). This RAT is then able to communicate with a command and control server, from where it can receive commands for example.

This shows how a victim can be infected in a way where they have no clue that it has even happened. Using steganography and other techniques, it is able to avoid detection and run in the background for a long time before being detected.

3.7 Command and Control

Command and Control, also known as C&C or C2, is the methodology of establishing a connection with an infected host which criminals use to allow them to control their malware and/or botnet as well as receive reports from them. In 2016, a ransomware under the name of TeslaCrypt got an executable from their C&C server that was embedded in a HTTP 404 error page in the HTML comment tags [7]. Events like this show that C&C communication can be done not only through standard encrypted channels, but from normal innocent looking traffic.

Fakem RAT was another case where the C&C traffic was disguised to look like MSN and Yahoo! Messenger or HTTP conversations [51]. The connection to the command and control server is often established early in an attack so that configuration files can be downloaded for the malware or to inform the C2 server of a new infected machine[52, p. 120][52, p. 78].

C2 channels can have multiple purposes. They can be used to extract information, send commands or configuration files to infected hosts, provide remote access or receive reports

(24)

from the victim. C2 channels used in APTs can extract information for a long period of time leading to large data loss for victims. It is a very effective tool since you can hide data in protocols that aren’t blocked by the firewall. Unlike using digital media files, this allows you to have continuous data flow [8]. These types of goals affect the later stages of attacks where the aim is to gain/maintain access to an infected system. This is why there are commonly used in APTs.

What is important when it comes to command and control is to make the communication look normal. Downloading many images from an odd website might raise suspicion for example. Therefor using public sites such as Twitter can be used to hide the C2 traffic by embedding information into images attached to tweets [53]. Fetching tweets, that are typically small, is not ideal when it comes to large amount of data, such as an update for the attack. It is therefore better to use tweets to indicate where updates may be available, for example on file sharing sites. Since this will not often be accessed, it will most likely be considered as normal traffic.

(25)

4 Results

4.1 What are the most prevalent techniques used for stegomalware and how effective are they?

There are two main categories discussed when it comes to stegomalware: Digital media steganography and network steganography. These will be discussed in separate subsections below including popular techniques within each category.

4.1.1 Digital media files

The table below shows the sources used for this section.

Blog posts/ News articles Reports Articles [54, 55, 50, 49, 56, 4, 57, 58, 59] [60, 52] [7, 8]

When it comes to digital media files, images seem to be the most popular carrier for hiding malware [4]. There are however many different image formats, JPEG, PNG, GIF and BMP to name a few, with many different techniques for each. First, a look back into earlier malware’s that used images will be presented.

In 2011, Duqu malware was used to leak information on control systems. This malware appended information that it wanted to exfiltrate to the end of images and then sent to a remote server [7]. The Zeus/Zbot malware used a similar technique for hiding configuration files for the malware [8]. Vawtrak is another malware that hid update files that it retrieved from their C&C server in the LSBs of favicons. Each favicon is approximately 4kB but is enough to carry the update file in its LSBs [60]. Furthermore, Stegoloader is a malware that was identified back in 2013 that used LSB steganography with BMP and PNG images for hiding encrypted URLs that the malware would use to download additional components [54].

A variant of the aforementioned Zbot malware, dubbed ZuesVM, also uses images to retrieve configuration files[55]. Like Zbot, the configuration files were appended to the end of the image to avoid detection. These type of techniques where configurations file and such are pulled from the attackers server, can also be classified as a covert channel.

A recent reported threat using malware embedded in images is one where Lazarus APT conceals malicious code in a BMP image [50, 49](Also mentioned in Section 3.5). Although to the best of my knowledge, exactly how the malicious code is embedded into the image is not yet reported. The attack starts with a malicious macro in a Word document. A pop-up message is displayed and claims to be an old version of Office, but this actually gets a PNG image from the active document which contains a compressed zlib file within. The next step, the PNG file is convert into the BMP format by calling a function. Converting the PNG to BMP, automatically decompresses the malicious zlib file that is embedded as well.

The most common image steganography technique used by attackers is to modify the least significant bit of for example the RGB channels in an image [56](This type of technique was described in Section 3.1.1). Digital images were also shown to be the most common carrier for stegomalware in the data analysed by CUING where 40.6% of the malware was hidden in images [4].

(26)

There are many different carriers to choose from when it comes to digital media steganography. As mentioned earlier, using audio, video, PDF and other media files are also able to be used as carriers [18].

Word documents, Excel files and zip files have also been shown to be abused as the entry vector for attacks [49, 52, 57]. Word documents and Excel files contain malicious macros in these cases. They are sent to the victim that lures them into opening the files and enabling macros. This is when the attack starts. Zip files have also been sent via phishing campaigns where for example an embedded PowerShell script in contained that starts the attack [58]. In this example, other scripts are also downloaded and disables Windows Defender. PDF Files are also used in phishing campaigns, with a reported increase of 1,160% detected malicious PDF files [59]. PDF files can contain malicious JavaScript code that can allows attackers have execution control on the infect machine [61]. The more recent trends amount malicious PDF documents seem to be traffic redirection. Doing this allows attackers to use a technique called drive-by-download. This technique forces victims to download malware without being aware that it is happening [62].

4.1.2 Covert channels

The table below shows the sources used for this section.

Blog posts/ News articles Reports Articles [63, 64, 12] [65, 66, 67, 50] [68, 69]

Covert channels have been discussed earlier in this thesis. They are most often used in later stages of an attack for extracting information from the infected machine, sending commands to the malware or to give remote control of the infected machine as backdoors for example [63]. As discussed in Section 3.1.2 there are different methods for creating different types of covert channels, such as timing channels, sequence channels or utilizing different fields in headers(storage channels) to embed information. Using network steganography/covert channels successfully there are two conditions that must be met. First off, the carrier chosen should be popular to make sure that the presence of the traffic is not seen as an anomaly. Second, the modifications made to the packets to carry the payload should not be noticeable by the system [63].

Lazarus APT, used the ThreatNeedle malware to establish a backdoor after infecting victims with a COVID-19 related spear-phishing email [68]. With this backdoor, the attackers could perform several tasks such as system profiling, update backdoor configuration and execute received commands to name a few. Using SSH tunneling and PuTTy PSCP(PuTTy Secure Copy client) they were able to have remote access to infected machines. For uploading stolen data to their C2 server, HTTP POST requests were used.

According to FireEye, the Sunburst malware that was used as the backdoor for the So- larWinds attack, also communicated with the HTTP protocol to their C2 server [65]. The malware used masks their traffic by making it look like the Orion Improvement Program (OIP) protocol as to mimic normal SolarWinds API communication [65].

The DNS protocol is also a popular candidate when it comes to covert channels. It allows for large data transferring since it contains a large amount of packets [63]. The DNS protocol is also something that is used everywhere across the Internet which doesn’t make it stick out

(27)

of the ordinary. If an administrator applies rules that are too strict towards the DNS protocol, this may also lead to considerable issues [64]. The W32.Morto bug abused a vulnerability in Remote Desktop Protocol(RDP) and once the victim was infected, it made use of the DNS protocol when communicating to its C2 [64]. Another malware that made use of the DNS protocol is the Feederbot malware [66]. As with W32.Morto, it used the DNS protocol for its communication with the C2 server. Furthermore the PlugX malware is a Remote Access Tool(RAT) that was most common malware for targeted attacks during 2014 [66]. As with the aforementioned malware’s, this also used the DNS protocol for its communication with the C2 server. However, the core of this malware supported the use of other protocols as the C2 carrier, which allowed them to use protocols such as TCP, UDP and HTTP for communicating with their C2 server.

A recent blog post from TrustWave, shows how attackers utilize the Internet Control Message Protocol(ICMP) to create a tunnel for communicating with the infected machine [67]. This malware was named Pingback and like many other uses DLL hijacking. According to TrustWave, the initial entry vector is still being investigated. The ICMP protocol is mainly used for control and diagnostic purposes. It can also be used for malicious purposes which is why there is a debate whether ICMP should be disabled or not. In this attack, one DLL uses ICMP for its main communication. The ICMP tunnel mainly uses two types of messages, namely echo(code 8) and echo reply(code 8). According to TrustWave, the attacker always sent 788 bytes in the ICMP data field.

The malware starts a sniffer on every IP looking for ICMP packets. It specifically looks for an ICMP echo packet and one that contains ICMP sequence number 1234, 1235 or 1236 as depicted above. These sequence represent three different messages. 1234 states that the packets contains a command or data. The other two are used for pure ICMP packet communication. 1235 states that data has been received at the attackers end and 1236 states that new data has been received by the malware. This malware also supports different commands.

Shell tells the malware to execute a shell command. Exec is to execute a command on the infected machine. Download, which contains three different modes. The first mode tells me infected machine to connect back to the attacker(this allows attackers to bypass firewalls that block incoming TCP connections). The second mode opens a socket on a specific port to which the attacker connects. The third and final mode is ICMP-based, however this is very slow and with the current implementation of the malware is not too reliable when it comes to flow control. The Upload command uploads data and also has three modes similar to Down- load. Pingback as described, uses the ICMP protocol for the initiating the aforementioned commands but then uses TCP for increased performance and reliability.

The attack from Lazarus APT where they used a BMP image to store malware uses HTTP requests, which are encrypted using a custom algorithm, for its communication with the C2 server, allowing it to receive commands such as sending exfiltrated data to the C2 [50]. The data that is to be sent back to the C2 is encoded and encrypted and sent to the C2 as test.gif using the HTTP POST request.

Covert channels have also been discussed by using the IPv6 protocol by Mazurczyk et al.

[12]. They discuss the theoretical possibilities, based on [70], of 6 different methods targeting the header of the IPv6 header followed by an evaluation based on captured traffic.

(28)

Figure 4.7: Representation of ICMP packet sent by the attacker. Recreated from [67].

The methods are aimed towards 6 different fields and related mechanisms that are used. The first is the use of (1) Traffic Class. As shown in figure 4.8, it is 8 bits long and consists of two parts, Differentiated Services Code Point(DSCP) which are the first 6 bits and Explicit Congestion Notification(ECN) which are the last 2 bits and it specifies the expected service from the network. Secret data can be embedded here which gives it a bandwidth of 8 bits per packet. However, intermediate nodes may alter this field which disrupts the covert channel.

The second is (2) Flow Label which is 20 bits long and is used by network nodes to route traffic the most fitting path. Intermediate nodes should not alter this label. Using the Flow Label can allow you to transfer 20 bits per packet. The (3) Payload Length defines the size of the data field of the datagram which is a maximum of 65,536 bytes [70]. By manipulating this field, you can hide information as to append arbitrary data to the payload. To avoid the packet from being dropped by intermediate nodes, the checksum has to be updated. The bandwidth in this covert channel depends on the amount of embedded data, but if cannot exceed the maximum size allowed for the datagram. Furthermore, one should remove the hidden information before it is delivered to the receiver [12]. The (4) Next Header field states the next header of the payload of the packet. These can be values such as 6 for TCP, 58 for ICMPv6, 1 for ICMP and 17 for UDP. Altering this field so that it points to a "fabricated"

(29)

Figure 4.8: IPv6 protocol header. Recreated from [70]

header containing data. The bandwidth of this technique depends on the size of the fictitious header embedded. Like the aforementioned technique, the hidden information should be removed before being delivered to its final destination. (5) Hop Limit, as the name suggests, defines the maximum amount of hops a packet may perform. It is 8 bits long and can therefore have 256 different values. By altering this value, either by increasing or decreasing it for consecutive packets, one can hide information. As long as it is not interrupted, this gives a bandwidth of 1 bit per packet. Lastly, (6) Source Address contains the network address from the source. By replacing some bits it can reach a maximum bandwidth of 128 bits per packet.

Traffic was captured for four days between Chicago and Seattle to investigate the use of IPv6 in a real-world scenario and found that IPv6 was about 4% of the entire traffic [12].

This was done to investigate what values in the different fields were most common. Starting off with Traffic Class, DSCP was observed to only have three possible values. If DSCP is manipulated to contain anything else but one of those three values, it could be considered an anomaly and thus leading to the covert channel being detected. ECN was observed to only have 0 as the value in 99.99% of the packets captured which eliminates this from consideration. These findings show that altering this field allows someone to have 3 different values instead of the 2⁸ possibilities giving it a bandwidth of 2 bits per packet instead of the 8 proposed in theory. Due to the implementation of the Flow Label field, having it set to 0 seems to be seen in 96% of packets captured. Since the behavior is hard to predict, it is hard to give a precise bandwidth estimate. The maximum packet length of an IPv6 datagram is actually 56,536 bytes. However, the maximum size in the observed packets were 1460 bytes, which is typical when looking at the Maximum Transmission Unit(MTU) supported by IEEE 802.3/Ethernet L2 [12]. Assuming an MTU of 1500 bytes, the maximum amount of hidden data that is able to be sent is 1416 bytes due to the fact the 24 bytes is removed for Ethernet, 40 bytes for IPv6 and 20 bytes for TCP. There findings limit the bandwidth using the Payload Lengthfield since the maximum possible size would present an anomaly leading to possible

(30)

detection.The maximum theoretical possible values able to be put in the Next Header field is 2⁸ since it is 8 bits long. However according to the data captured, the Next Header field indi- cated TCP 99.15% , UDP 0.55% and ICMP 0.3% of the time. Due to this very few packets can be manipulated leading to a very limited bandwidth. Like the previous field, Hop Limit can also have 2⁸possible values. The default value for this field is 64, however ranges 51-54 and 242-245 were the most common observed. The neighbour discovery protocol used by IPv6 manages automatic configuration and address resolution for networks to name a couple operations [12]. By paying attention to the Hop Limit value, one can modulate this field between adjacent packets and this can be used as a covert channel giving a bandwidth of 1 bit per packet as discussed earlier. Lastly the Source Address is very unreliable since altering this field may lead to disrupting the network connection. Systems that protect against spoofing can also easily detect this alteration which will destroy this covert channel [12].

The techniques discussed above are examples of storage channels and tunneling. Apart from the reported attacks from Lazarus APT which also used HTTP POST to upload data to their C2 server [50]. Using storage channels allows for much diversity since there are many redundant fields to be found in common protocols used daily. The use of tunneling may allow an attacker to bypass firewall rules like in the case on [67] where it allowed them to set up a TCP connection from inside which bypasses firewalls that block incoming TCP connections. Using SSH tunneling which was reported in [68], allows attackers to have secure encrypted communications with the infected host. Further more, according to Enisa [69], 45% of malware sent by email was found in .docx files and 67% of malware was delivered via HTTPS.

4.1.3 How effective are these techniques?

In Section 3.7, the theory behind what is considered an effective technique was discussed.

It is those three different aspects that will be used when considering the effectiveness of a technique. The desired result is to have a technique that has a very large capacity, very high undetectability as well as very high robustness to make sure that data will not be destroyed if alterations to images or packets are made for example. There is however always a trade off between the different aspects. In general, effectiveness can be described to the extent that the stated objectives are met [71].

The techniques discussed above are mostly techniques discovered in the wild. These techniques must be seen as effective to an extent since then have been part of successful attacks. However, lets take a look at the three conditions: capacity/bandwidth, undetectability and robustness for a further evaluation.

4.1.4 Effectiveness of digital media steganography

Starting off with digital media steganography, most cases use PNG or BMP images. PNG and BMP images are lossless image formats compared to JPEG and GIF that are lossy formats.

When it comes to the embedding technique used in the attacks mentioned in Section 4.2.1, they were most often using LSB or appending files to the end of images [7, 8, 54, 55]. LSB is the most simple and most used embedding technique, as well as this technique being used with PNG and BMP images. Using LSB on the color plane of images, allows for at least 3 bits of secret data to be embedded per pixel. Depending on the resolution or dimensions

(31)

of the images used in the attacks, one can calculate the amount of data embedded in the images. Appending secret data to the end of an image was also a technique used. Although this technique does not necessarily have a capacity limit linked to the size of the image, appending files to the end of an image directly increases the size of the file. This can make such a technique easier to detect. The Vawtrak malware used LSB embedding in favicons in order to download malicious payloads [60]. This malware always used 32x32 sized true- color favicons [72]. The encrypted message that is extracted from the favicons is always 288 bytes [72].

Embedding information into images is simple and there are many open source tools online that achieve this. In terms of capacity, it may be sufficient depending on what the main goal is. If the goal is to send smaller configuration files, URLs that point to where to download information or simple commands, then the capacity is sufficient. However, if the goal is to exfiltrate larger amounts of data, it would not be a suitable choice due to the fact that many images would have to be sent to the C2 server.

Images are everywhere on the Internet. This allows them to be suitable carriers sue to the fact that uploading and downloading images may not be seen as an anomaly on a "normal"

network. Since attackers often use legitimate file sharing sites, the domains to which images may be uploaded or downloaded will not be flagged as irregular [73]. Appending files to the end of an image will not create any visual artefacts that a human can see, however they are very easy to detect [37]. Performing steganalysis to see if an image may be malicious can be time consuming and if a network does not have active policies for inspecting images, exfiltrating data or sending commands with images will go undetected.

Using LSB steganography is simple. However, it is not very robust. The data hidden can easily be destroyed by simple attacks or the hidden data can be lost by image manipulation [74]. Since the formats used were mostly BMP or PNG, if they are converted to an other format for example, the data will also be lost. Simple steganalysis also seemed to have positive results regarding favicons [72].

There finding show that these types of technique have decent capacity, good undetectability but rather low robustness.

The use of malicious documents or files are common entry vectors in attacks. Word documents and Excel files can have malicious macros that start a change of sequences to initialize an attack. These techniques do not have the goal of carrying larger amounts of information.

The strength of these documents lie in the use of them among organizations. Excel and PDF files are often used in business communications which attackers use to their advantage.

When it comes to the undetectability of these phishing campaigns, the goal is to trick victims into opening the documents.

Using Word documents, Excel files, or PDF files have been used successfully in several attacks [49, 52, 57] which speaks to the effectiveness of such techniques. The capacity although not large, is sufficient for these techniques. Since these types of files are common among organizations, they are often trusted. This leads to them being downloaded and opened by victims giving them good undetectability. Unless an organization uses tools such as Content Threat Removal [75](discussed further in Section 4.4), aimed to remove parts in documents that can be used for malicious purposes , it seems that using the aforementioned file types give good robustness assuming they are delivered and opened as in their original format.