“Stegomalware” is a term that is relatively unknown, but like it’s first cousin it the stegosaurus, whose armored exterior containing kite-shaped plates along its back and spikes on its tail helps ward off predators–or in this case, bad actors.
To explain, steganography is becoming a more widely used email attack vector within malware that hides malicious code in the pixels of an image by encoding information into the actual color information of the image. In other words, it's a semi-low-tech, yet innovative way of sneaking in a nefarious attack that is imperceptible to the human eye, and thus, it works.
In an interview with Dr. Steve Jeffery, Lead Solutions Engineer (UK) of Fortra Secure Email Gateway (SEG), we asked what it takes to defend against this hidden-in-plain-sight threat, as well as other commonly asked questions about stegomalware that are answered here.
Method 1: Stopping malicious clicks
To know how to defend against stegomalware – in its many forms – we first need to understand what those forms are. The first one? A multi-stage attack.
The Problem
It’s crucial to your understaning that steganography takes place in two parts:
- The malicious code is hidden within an image, attached file, etc.
- What triggers it to execute.
Dr. Jeffery explains, “There are generally two steps to this. There's the payload being removed from the steganography, but there's also a program they embed called a loader. That program is what's going to make that payload run.”
He notes that often, the loaders will escape detection because they look innocent; after all, they’re not malware in and of themselves. Because the method of extracting the malware from the image alone makes it simple for it to slip into an organization's email infrastructure. That's understandable, but then how does the malicious part get in?
The Scenario
Commonly, attackers send a malware binary (e.g., a malicious executable like viruses, worms, and Trojans) via email, and those typically get blocked by email security tools (next-generation or not). However, in the case of stegomalware, they come via a Word document with macros embedded, and those have a higher chance of getting a passing score and entering undetected. Organizations roll the dice because those aren’t explicitly bad and threat actors bank on the fact that users still have to accept it on their end for it to run.
However, as Jeffery explains, “Humans like to click on that yes button, so it's quite easy to manipulate someone into pressing it. I've seen all sorts of lures on that such as, ‘If you can't read this document, it's because you haven't downloaded the right font pack. Press accept!’ And then the document will be in Wingdings font or something.”
The Solution
One way to combat compulsive “trigger finger" is with consistent and solid Human Risk Management (HRM), which teaches users to recognize those ploys (and many others), resulting in them staying away.
Another is a sandboxing tool or an advanced email security solution that can sanitize code within documents, per Jeffery’s suggestion. That way, even if (or when) your employees click a malicious link, the payload will detonate in a safe place and your network will be spared.
Method 2: Blocking the stegomalware itself
The first method of defense dealt with accepting the fact that the malware would enter and make the fallout as nonexistent as possible. The second method will hit the malware head-on by dealing with the steganography itself.
Jeffery reveals why steganographic malware is so hard to detect, noting that, “Because you don't know how it was encoded into the pixels in the first place, you can't reverse the process and see the data.” For this reason, even advanced email security solutions can’t directly do it.
However, as he states on behalf of Fortra’s Clearswift, “With steganography, it does it in a way that is undetectable to the human eye. However, we've got a mechanism which will disrupt it.“ He continues, “If you use Fortra Secure Email Gateway, it has an anti-steganography feature. If you tick it, it will change every image that goes through the appliance.”
“This technique just makes subtle changes to the image to destroy the integrity of any hidden data, making it effectively unreadable,” Jeffery explains. “So, by combining those two defenses–the sandboxing/sanitization and the anti-steganography features–you're really giving yourself the best armor to defend yourself against these kinds of surreptitious attacks.”
Staying strong against steganographic malware
So, the key is shoring up the security of your email environment to stay strong against steganographic malware. And these solutions are only the beginning. Attackers are getting sneakier, stealthier, and just plain better at what they do. But you can keep up with them by leveraging Fortra Email Security.
Stop Stegomalware Today
Threat actors might be clever, but we’re clever too. Learn more about Fortra Email Security and how it can help your organization keep out the bad actors who are gunning for your inbox!