A picture is worth a thousand words, but to hackers, it’s worth much more

Enterprises and end-users are constantly reminded of the dangers associated with clicking on unknown links and documents. Images rarely top the list as would-be vulnerabilities, but it’s important to be cautious of these potentially risky files as well. Why? Hackers are able to use image steganography techniques to conduct malicious activity and ultimately compromise enterprise networks.


What is image steganography? Image steganography is the practice of using hidden writing techniques to secretly pass information embedded within images. This technique has been around for hundreds of years – most notably, it was used by Leonardo da Vinci, who embedded secret messages into his paintings.

Image steganography has been adapted for the Digital Age. Steganography was originally used by nefarious individuals who wanted to exfiltrate data from organizations. For example, malicious actors could take a family photo and hide corporate secrets in the image and email it to their personal email—hiding corporate espionage in plain sight. Today, hackers use steganography to obfuscate payloads embedded inside of the image that can be undetectable by traditional security solutions and successfully spread malware.

How do image steganography attacks work?

While there are many forms of steganography, the most common uses a tool called steghide. When leveraging steghide, hackers tend to hide payloads inside of the pixels of an image. The hacker converts a payload to Base-64 and hides it within the metadata. It’s commonly added under the certificate metadata field because the certificate field has an infinite length, and Base-64 encoding is frequently used in this field for certificates.

The malicious image can be delivered as an attachment, or the hacker can post the image on a public website with a link to provide the payload. The image can be slightly altered on the bits and bytes when leveraging the steghide method, but when the hacker embeds the payload in the metadata, the image is not altered at all. This makes it virtually impossible to detect with the naked eye.

Once a payload is delivered, most hackers seek to dump hashed admin passwords and connect via Remote Desktop Protocol (RDP) to other nodes on the network. They will compromise as many computers as they can by deploying ransomware and ask the compromised company for a big payday—a highly lucrative scheme for hackers.

Image steganography attacks are an attractive attack vector for threat actors because the toolkits are easily accessible and downloadable and because these attacks easily evade detection by traditional security solutions. Technically, the tools used for these attacks are not even considered hacking tools. They can be downloaded via Linux shell as simply as apt-get install steghide or apt-get install exiftool.

How can organizations avoid these types of attacks?

Hackers use image steganography as an evasion technique and delivery mechanism because, once the hacker has access to a computer on a corporate network, it’s game over for the company. The hackers then commonly deploy ransomware or another payload that puts the hacker in control. Since this attack vector is frequently overlooked, many organizations are vulnerable to these attacks and could experience detrimental effects if they do not become more proactive in their security strategies.

The first thing organizations need to understand is that these types of attacks are highly sophisticated, and no amount of phishing awareness training is going to properly train end-users to detect these threats.

Implementing security solutions that remove the end-user from the equation entirely is necessary in preventing these types of attacks from compromising enterprise data and networks. Technology that offers a deterministic approach and is able to identify and allow through only the good elements of content to the end user—rather than unreliably detect and block malicious code—is the best way for organizations to protect themselves.

Today’s purpose-built steganography detection programs are proof-of-concept and are known to be slow and have relatively low detection rates, rendering them unfit for commercial security tools currently on the market. To combat these types of threats, enterprises will need to prioritize and adopt strategies that focus on the zero-day threats targeting the enterprise.

Don't miss