The new malware trend has been discovered by Crowdstrike and Dell SecureWorks in which crooks manage C&C communications with steganography and DNS.
Steganography has been long used for hiding data in images other visual media. But it has not been used so widely by malware operators. Since 2014 security vendors had an opportunity to discover that cyber criminals used malicious media files to transfer information from and to unaware users.
This trend is mostly noticeable in the malware Lurk, Gozi and the info stealer named Stegoloader.
The process is simple and yet newly discovered. At first the Lurk malware downloads BPM extensions image and extracts URL, at this stage different malicious piece of software is downloaded which is used fo click fraud activities.
Gozi, famous for financial frauds, uses a technique of steganography to download config files in case if the download is blocked by network settings or network devices. Gozi hides malware in the favicon hosted on the Tor hosting provider.
Stegoloader uses steganographic methods to use an image with PNG extension for storing and running its main module. The later is downloaded after it becomes ‘safe’ to infect a computer.
As we are all aware botnets and malware spreaders often use HTTP and HTTPS protocols for C&C communication. HTTPS connection is safer but easier to discover using modern cyber security tools.
Because of this, many malware operators decided to try DNS protocol. Using this, makes it easier to mimic DNS packages handled over the network, thus misleading network monitoring tools. Before Gozi and Lurk there were PlugX and Feederbot malicious tools that switched to DNS.
“All in all, these examples show that hidden communication channels have arrived in today’s world of digital crime. However, hidden communication channels are not a panacea. There is a lot of room for design errors when implemented from scratch and they need to be used in conjunction with other technologies such as cryptography to guarantee integrity, confidentiality and authenticity.” Noted by Dr. Chris Dietrich from Crowdstrike and Pierre-Marc Bureau from Dell SecureWorks.