This time, specialists from the International Institute of Cyber Security (IICS) will show us some of the most popular steganography tools, used both by cybersecurity experts and hackers from around the world.

Before continuing, we remind you that this material was prepared for informational purposes only and should not be taken as a call to action; IICS is not responsible for the misuse that may occur to the information contained herein.

SilentEye

SilentEye is an open source tool used for steganography, mainly to hide messages in images or sounds. According to cybersecurity experts, the tool provides an easy-to-use interface and simple integration process for the new steganography algorithm and cryptography processes through a plugin system.

In this example, we have a pass.txt file that contains credentials to access information systems. Using SilentEye, this file is hidden in an image.

The tool can be downloaded from https://silenteye.v1kings.io/download.html?i2. When downloading, click the downloaded EXE file and follow the installation instructions. In addition to Windows, the installation files for Linux and MAC are available for download.

The process of steganography can be divided into these stages:

• Drag the image to the program launch window
• After adding the image, click on the encoding option

• Select the header position as “signature”, and enter a password position to access the file

• Select the file you want to hide in the image and click Encode
• The image will be saved in the destination folder specified in the previous step. We can see that the encoded image looks exactly the same and the hidden file is impossible to detect at simpe view
• To decode this image, click on the Decode option

• Select the title position as “signature” and enter the password that was used to encode this image, then select the Decode option

• The decoded file is shown below

iSTEG

This is an open source steganography tool that is used to hide files within a jpeg image. While it’s available only for Mac devices and is a relatively old program, it’s sure to prove to be a great source of learning for cybersecurity enthusiasts.

OpenStego

OpenStego is also an open source steganography tool that allows you to hide data in images or apply watermarks and detect unauthorized copies of specific files. The watermark can also be useful when sending the same document to different organizations with labels for each of them, allowing the source of possible leaks to be detected.

To hide data in the Message File field, select the file with the passwords you want to hide in the Cover File field and select the source image that will be the container for the text file. In the Output Stego File field, specify the name of the final image with the secret. Then, select the encryption algorithm (AES256 in this case) and set the password. Then click Hide Date to get the result.

Below we can notice that the image with the attachment is much larger than the original:

For reverse actions, respectively, on the Extract Data tab, you need to select a file with hidden data, select a path to save the file to the output, enter a password and click Extract Data and get the file passwords.txt.

As mentioned above, the functionality of the program also allows to put a watermark with a specific signature. You need to generate a signature file first and then it can be used to mark with water or validate.

You can generate an electronic signature in .sig format:

The result of adding the watermark is a signed image file isecforu_sig.jpg:

To check the watermark on the Verify Watermark tab, you need to select the file with the watermark and the signature file, respectively:

Open Puff

This is a free steganography software for Microsoft Windows and Linux systems. In addition to images and audio, it works with video and PDF files and includes detailed documentation to understand its use perfectly.

The tool supports image formats such as BMP, JPG, PCX, PNG, TGA, audio formats such as AIFF, MP#, NEXT/SUN, WAV, and video formats such as 3GP, FLV, MP4, MPG, SWF, and VOB, in addition to the popular PDF format.

To hide, it is proposed to enter 3 different passwords (A, B and C). However, passwords B and C can be disabled by unchecking the Enable (B) and Enable (C) parameters, so we will do this and enter the password in the A field. Then, in the Data block, select the file with passwords passwords .txt. In the third step, select the itsecforu.jpg image file as the media. Next, select the output file format and persistence, click Hide Data, and select a directory to save the file with hidden data.

To extract the file, you need to select Unhide from the start menu, enter the password in block A, select the itsecforu container.jpg and click Unhide:

As you can see, we get our password file.txt

The file tagging process is also simple and straightforward, so we won’t consider it.

Steghide

This is a program to hide data in various types of images and audio files. We wrote about this in the article “Steganography in Kali Linux – Hiding data in an image”. According to cybersecurity experts, the principle of operation is similar when working on the Windows operating system.

Run the utility from the command line and to see all available options:

To hide the password.txt file in the itsecforu.jpg image file, enter the following command:

steghide.exe embed -cf D:\stega\itsecforu.jpg -ef D:\stega\passwords.txt

Now the password and password confirmation are entered and the itsecforu file is obtained.jpg already with hidden data

Accordingly, to extract hidden data, enter the following command:

steghide.exe extract -sf D:\stega\itsecforu.jpg

Enter the password to get the password.txt file:

Spammic

Spammic.com is a website for converting messages into spam. This site gives users access to a program that turns short messages into spam in the form of a coded message, cybersecurity specialists note.

The tool would allow users to send confidential information via email with the confidence that threat actors will not identify the content, sharing it in a secure way.

This website includes a function known as “Encode as Fake Russian”, which allows you to encode a message in English with Cyrillic characters, readable enough for an operating person impossible to decipher for automated systems.

Cybersecurity experts recommend paying attention to the right resources.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Top 6 free steganography tools for cyber security professionals appeared first on Information Security Newspaper | Hacking News.

When first discovered, the cybersecurity community described ObliqueRAT as a conventional Trojan for data theft, connection to a C&C server and the ability to terminate its own processes. ObliqueRAT is also able to look for clues that would follow that the target system runs in an isolated environment, one of the main cybersecurity practices for detecting malicious developments.

The developers of this RAT have continued a complex update work since the malware was detected, adding new techniques and abusing a large set of possible attack vectors. Recently, Cisco Talos researchers published research on ObloqueRAT, mentioning that Trojan operators are deploying a new campaign through an unusual attack involving the use of images in various formats.

In previous attacks, hackers used Microsoft Office documents sent by email in phishing campaigns. Talos mentions that, in the most recent attacks, hackers use malicious documents to redirect victims to compromised websites in order to bypass email security controls.

The attack involves a technique known as steganography, which involves hiding code, files, images and videos within files in other formats (in this case, .BMP files). Although these files contain legitimate data, executable bytes are also hidden in RGB data that triggers the download of a .ZIP file containing ObliqueRAT.

Experts mention that the malicious macros used by hackers extract the storage file and deploy the Trojan to the target endpoint. Since the end of 2020, specialists have detected at least four new improved versions of malware, allegedly developed between April and November last year. Improvements include endpoint checks and locked computer names, as well as the inclusion of external storage file extraction capabilities. A new command prompt, not yet unassigned, also indicates that additional updates will occur in the future.

Finally, experts mention that ObliqueRAT could be linked to the Distribution Campaigns of the CrimsonRAT Trojan, as there are potential links with Transparent Tribe, a hacking group specializing in attacking countries’ technology infrastructure in the East.

The post ObliqueRAT malware hides in images of hacked website. Be careful when downloading images appeared first on Information Security Newspaper | Hacking News.

People always search internet to hide data and transfer it across to your friends. Imagine you get a MP3 file with your password in it. Now you can transfer any confidential file or data via audio file (MP3, WMA, WAV, APE). Later on same can be retrieved easily. Researcher of International Institute of Cyber Security comments “we have seen forensics cases where information is shared using these steganography channels“.

Using this we can also convert the MP3 extension to (.ape, .wav, and .flac). This application is very simple to use and easy to understand. Now we will move on to step by step tutorial on how to use DeepSound.

Environment

• OS: Microsoft Windows [Version 10.0.18363.1016], 64 bit

Installation steps

• Click Here to download the tool.
• It downloads zip file, extract the file. 

• Next, run the DeepSound.exe file to use.

• Now, click on the “open carrier file”, to add any audio file of these extensions (.MP3, .ape, .wav, and .flac).
• Next, click on “Add secret file”, to add any confidential data files.

• Successfully added the audio and confidential file.
• You can also also select the audio quality.

• Click on encode secure file, check the box Encrypt secret files and enter the password then click on encode secret files to secure the file.
• This will save the audio file on a specific path. The encrypted file will be as same as the original file.

Decrypt Audio File.

• Add encrypted audio file by clicking on an open carrier file, it will ask security passwords.

• Enter the security key and click on Ok.

• Now, select a secret file and click on Extract secret files. This will download the secret file in our machine.

Change Audio File Extension

• Click On Audio Converter, add the audio file and select the extension then click convert

• The converted audio file will be saved at output directory path.

Conclusion

We saw on how to transfer or store any confidential data in any audio file. If we use this technique, no one can identify or steal your data and it’s best to transfer data file to any end-user. To find hidden data in audio file, some binary analysis is required.

The post Transfer any Confidential Data via Audio File using DeepSound appeared first on Information Security Newspaper | Hacking News.

The botnet in question is known as MyKingz, also called Smominru, DarkCloud or Hexmen, according to the security firm that elaborates the report, so the activities of its operators are widely documented.

Since its inception, MyKingz has shown unused growth; just a few months after the first reports, the developers of this botnet had already infected more than 520k Windows systems, generating more than $2 million USD in Monero cryptocurrency in less than a year.

Threat actors abuse the EternalBlue vulnerability, so the botnet is able to reach the innards of any corporate network. As if that weren’t enough, initial estimates of just over a million infected systems have been left behind as experts estimate that the number of infections already exceeds two million devices.

Although some reports claimed that the creators of the botnet stopped operating it, new signs of activity began to be recorded a few months later, detecting up to 4,000 new infections a day.

According to a report by digital forensics firm Sophos, hackers devised a new way to infect devices to integrate them into the botnet. Employing steganography, threat actors hide malicious files inside legitimate ones, in this case a malicious EXE is hidden in a JPEG image of the famous pop singer Taylor Swift.

This way, the hackers seek to trick the antivirus software on the target system, which only identifies the JPEG file that is being downloaded, completely bypassing the detection of the malware.

This is not the first time a hacker group uses steganography to infect thousands of victims. A couple of years ago, digital forensics experts reported that a group of cybercriminals distributed malware hidden in an image of actress Scarlett Johansson. It should be noted that steganography is not limited to the use of images loaded with malicious code. In recent months, some groups of cybercriminals have experienced new uses for this technique, trying to hide malware in PDF documents or even WAV audio files, many times successfully.

For a couple of years now this botnet has become one of the main threats to computers with Windows operating system, as mentioned by reports of various firms, it is sufficient that a system is outdated or leaves some ports uncovered to complete the infection.

According to the digital forensics specialists from the International Institute of Cyber Security (IICS) the developers of this botnet earn about $300 USD a day, and it is estimated that in total some 9,000 Monero units have been generated, equivalent to $3 million USD, according to the current exchange rate.

The post Dont download Taylor Swift images. They have Tay Tay Sexy virus in them appeared first on Information Security Newspaper | Hacking News.

How Steganography Works :-

Every images we see electronically such as in mobile, television, computers consists of some pixels. Those pixels are called smallest component of an image. In each image pixels are produce by three to four colors. Those colors are red, green, blue, white. The RGB model is common for video displays and other video components which are used in watching an image on the electronic screen. These rgb model are added together to create an array of color. These colors are knowns are primary supplement when they are muixed in equal amounts. These colors create while. And when thery are mixed with different amounts other colors are formed.

As shown above the RGB forms different colors on screen. In binary codes it forms different colors in steganography. When images are combined in steganography the rgb changes its colors as shown below, explain cyber forensics professors.

As shown above when two images are combined an new image is formed. In steganography right most bits are changed as it shows very minor visual effect on the image.

As you can see when image 2 is hiding is hiding data in it. As steganography changes right most bit in the image.

As shown above the left most is an simple image. But the right most is an image hiding another image. If you look carefully second image in the above figure holds an encrypted data. The below is the python code shows how image is hided in another image, cyber forensics consultants demonstrate.

#encoding 
steg = LSBSteg(cv2.imread("image_1.png") 
new_im = steg.encode_image(cv2.imread("image_2.jpg")) cv2.imwrite("Desert.png", new_im) 

#decoding 
steg = LSBSteg("new_image.png") 
orig_im = steg.decode_image() 
cv.SaveImage("Desert.png", orig_im) 

As shown above in code image 1 is hided in image 2. The above is the common code used to hide images in image. Now we will see txt code that how txt is hidden in image. The above code uses an simple parameters to hide images.

 
#encoding 
steg = LSBSteg(cv2.imread("my_image.png")) 
img_encoded = steg.encode_text("sensitive_data") cv2.imwrite("Desert.png", img_encoded) 

#decoding
 im = cv2.imread("Desert.png") 
steg = LSBSteg(im)
print("Text value:",steg.decode_text()) 

The above is the basic code shows that how text is hided inside an image. The above code consists of encoded method which are used in hiding text files. Now we will show you some of the tools that are used in hiding data inside an image.

Stegohide – Hide data inside an image.

Stegohide is an simple program used in hiding data inside an image. According to digital forensic expert of International Institute of Cyber Security, the color frequencies are not changed in this program as it hides only minimal data. Stegohide current version is 0.5.1. This program encrypts data. When a user hide txt file inside this program it ask to put passphrase. Passphrase is the key which is used to encrypt and decrypt the sensitive information, cyber forensics teachers say.

• The tool comes in Linux as well as Windows utility but we have tested on Windows OS. It can be downloaded from : https://sourceforge.net/projects/steghide/files/steghide/0.5.1/steghide-0.5.1-win32.zip/download?use_mirror=excellmedia&download=
• After downloading an rar file. Unzip the rar file and open the stegohide.exe in cmd.
• For that go to start menu type cmd. After typing right click on cmd and open cmd as adminstrator.

• After opening it as administrator. Navigate to location/where/you/unzip/stegohide. Type dir

• Then type stegohide.exe

• You can choose any image to encrypt data. We have choose windows default image to show you.
• Type stegohide embed -cf Desert.jpg -ef “secret info.txt”
• -cf is used for cover file
• -ef is used to encrypt sensitive data.
• Type passphrase as your password. Type 123456 for encrypting

• After executing above query the data is now hidden. Now you can delete the original file.
• Now for decrypting type steghide extract -sf Desert.jpg

• After executing the data will be decrypted in its original form. The above information can be used in other hacking activities. In hacking it can be helpful while sending any encrypted message or binding any malware.
• Type steghide –info Desert1.jpg
• Type y
• Type passphrase as your password. Type 123456 for encrypting

• In the above image first command is used to check basic info of the file. And if the data is encrypted in that image.
• Encrypted data details can also be seen by typing passphrase.
• Type steghide –encinfo to view all the algorithms.

• The above query shows the algorithms that are used in encrypting data. Knowing an algorithms of any encrypting program may lack into security as additional decrypters can be created easily.
• The above commands which are used in encrypting data uses rijndael-256 encryption to hide text files.
• Type steghide embed -cf Desert.jpg -f -ef “secret info.txt”
• -cf is used for cover file
  
• -ef is used to encrypt sensitive data.
  
• -f will overwrite the file.
  
• Type passphrase as your password. Type 123456 for encrypting

• After executing same file will be overwritten if any chnages is done in hidden text file.
• Type steghide -N -cf Desert.jpg -ef “secret info.txt”
• -N will not embed the original file name.
• -cf is used for cover file.
• -ef is used to encrypt sensitive data.

• The above tool is used encrypt the data without taking hidden file name. Be sure to encrypt data by using this command.
• As if you try to decrypt data it will not decrypt as it requires embedded file name while decrypting.

Foremost – Recover Files using this tool :-

Foremost is the another Linux utility that recovers deleted files in Linux system. Data recovery is the process in which deleted or corrupted data is recovered. Foremost is an simple utility that are pre-installed in many systems. An initial configuration is already done in Kali Linux for using foremost. If you are using any other Linux Distros.

• Type git clone https://github.com/korczis/foremost.git
• Then type make
• Type make install
• And if you are Kali Linux 2018.4. Simply type foremost –

root@kali:/home/iicybersecurity/Downloads/foremost# foremost -h
 foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus.
 $ foremost [-v|-V|-h|-T|-Q|-q|-a|-w-d] [-t ] [-s ] [-k ]
         [-b ] [-c ] [-o 
] [-i <file]
 -V  - display copyright information and exit
 -t  - specify file type.  (-t jpeg,pdf …)
 -d  - turn on indirect block detection (for UNIX file-systems)
 -i  - specify input file (default is stdin)
 -a  - Write all headers, perform no error detection (corrupted files)
 -w  - Only write the audit file, do not write any detected files to the disk
 -o  - set output directory (defaults to output)
 -c  - set configuration file to use (defaults to foremost.conf)
 -q  - enables quick mode. Search are performed on 512 byte boundaries.
 -Q  - enables quiet mode. Suppress output messages.
 -v  - verbose mode. Logs all messages to screen

• Here we have use an sample pdf file test whether it recover file or not.

root@kali:/home/iicybersecurity# ls
 core  Desktop  Documents  Downloads  Music  output   Pictures  Public  sample.pdf  Templates  Videos

• Type cat sample.pdf

root@kali:/home/iicybersecurity# cat sample.pdf
 %PDF-1.3
 %▒▒▒▒
 1 0 obj
 <<
 /Type /Catalog
 /Outlines 2 0 R
 /Pages 3 0 R
   >
   endobj 
 2 0 obj
 <<
 /Type /Outlines
 /Count 0
   >
   endobj 
 3 0 obj
 <<
 /Type /Pages
 /Count 2
 /Kids [ 4 0 R 6 0 R ]
   >
   endobj 
 4 0 obj
 <<
 /Type /Page
 /Parent 3 0 R
 /Resources <<
 /Font <<
 /F1 9 0 R
   >
   /ProcSet 8 0 R
   >
   /MediaBox [0 0 612.0000 792.0000]
   /Contents 5 0 R
   >
   endobj 
 5 0 obj
 << /Length 1074 >>
 stream
 2 J
 BT
 0 0 0 rg
 /F1 0027 Tf
 57.3750 722.2800 Td
 ( A Simple PDF File ) Tj

• Type rm sample.pdf

 root@kali:/home/iicybersecurity# ls
 core  Desktop  Documents  Downloads  Music  output   Pictures  Public  sample.pdf  Templates  Videos 
root@kali:/home/iicybersecurity# rm sample.pdf
root@kali:/home/iicybersecurity# ls
root@kali:/home/iicybersecurity# ls
 core  Desktop  Documents  Downloads  Music  output   Pictures  Public Templates  Videos

• Type foremost -i sample.pdf -T pdf
• -i is used to specify input file name.
• -T is used to enter desired file extension. This option is require if the directory is not empty from where the file is deleted.

root@kali:/home/iicybersecurity# foremost -i sample.pdf -T pdf
 Processing: stdin
root@kali:/home/iicybersecurity# 

• After executing the above query it takes time to recover the file.
• Type foremost -i sample.pdf -T pdf -o /home/iicybersecurity

 root@kali:/home/iicybersecurity# foremost -i sample.pdf -T pdf -o /home/iicybersecurity  
 Processing: stdin
root@kali:/home/iicybersecurity#  

• After recovery is complete go to output directory. Type cd output

root@kali:/home/iicybersecurity# ls
 core  Desktop  Documents  Downloads  Music  output  output_Thu_Jan_31_06_08_40_2019  Pictures  Public  Templates  Videos
root@kali:/home/iicybersecurity# cd output

• Type ls
• Type cat audit.txt

root@kali:/home/iicybersecurity/output# ls
 audit.txt  pdf
root@kali:/home/iicybersecurity/output# cat audit.txt
 Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
 Audit File
 Foremost started at Thu Jan 31 06:08:13 2019
 Invocation: foremost -i sample.pdf
 Output directory: /home/iicybersecurity/output
 Configuration file: /usr/local/etc/foremost.conf
 File: sample.pdf
 Start: Thu Jan 31 06:08:14 2019
 Length: 2 KB (3028 bytes)
 Num      Name (bs=512)         Size      File Offset     Comment
 0:      00000000.pdf           2 KB               0
 Finish: Thu Jan 31 06:08:14 2019
 1 FILES EXTRACTED
 pdf:= 1
 Foremost finished at Thu Jan 31 06:08:14 2019 

• The above audit file shows the details of the file that what time and date the file was recovered.
• As shown above pdf has been recovered with different file name but the contents of the files are same.
• For opening files type cd pdf
• Type cat 00000000.pdf

root@kali:/home/iicybersecurity/output/pdf# cat 00000000.pdf
 %PDF-1.3
 %▒▒▒▒
 1 0 obj
 <<
 /Type /Catalog
 /Outlines 2 0 R
 /Pages 3 0 R
   >
   endobj 
 2 0 obj
 <<
 /Type /Outlines
 /Count 0
   >
   endobj 
 3 0 obj
 <<
 /Type /Pages
 /Count 2
 /Kids [ 4 0 R 6 0 R ]
   >
   endobj 
 4 0 obj
 <<
 /Type /Page
 /Parent 3 0 R
 /Resources <<
 /Font <<
 /F1 9 0 R
   >
   /ProcSet 8 0 R
   >
   /MediaBox [0 0 612.0000 792.0000]
   /Contents 5 0 R
   >
   endobj 
 5 0 obj
 << /Length 1074 >>
 stream
 2 J
 BT
 0 0 0 rg
 /F1 0027 Tf
 57.3750 722.2800 Td
 ( A Simple PDF File ) Tj

• As you can see the file data is exactly same as it was earlier before deleting.

The post Best forensic tools to hide secrets passwords and recover files appeared first on Information Security Newspaper | Hacking News.

Steganography, the technique of embedding hidden messages inside public files, has become very popular with exploit kit operators in 2016.

Several security firms have detected multiple updates to exploit kits which recently started using steganography as the main component of their operations, or are employing steganography as a way to hide exploit and malware payloads as PNG files.

Exploit kits that heavily rely on steganography: Stegano

In the first category, we have the newly-discovered Stegano (also known as Astrum) exploit kit, which has been used in the past months as part of a very ingenious malvertising campaign.

Stegano authors have operated by embedding malicious code inside the RGBA transparency value of each pixel of PNG banner ads.

As users viewed the ads, JavaScript code would parse the PNG image, extract the malicious code and redirect the user to the exploit kit landing page, where he would be infected with various types of malware.

Exploit kits that heavily rely on steganography: DNSChanger

Besides Stegano, the second exploit kit discovered in 2016 that heavily relies on steganography is named DNSChanger.

The group behind DNSChanger created malicious ads that contained code that launched brute-force attacks against the user’s home WiFi router. Attackers were taking control over the victim’s router, and injecting ads in all his web traffic.

Once again, steganography was crucial to hide this malicious code inside the ads’ images, which helped crooks hide the exploit kit’s activity from security researchers.

Steganography spreads to big-time players

Both Stegano and DNSChanger are relatively small and unknown exploit kits, deployed and used only by one operator, which was their creator.

According to a new report from Trend Micro, in the last days of 2016, one of the major players operating in the exploit kit market has also turned its sights on steganography.

The exploit kit’s name is Sundown, an exploit kit developed a group of German-speaking developers who call themselves YBN (Yugoslav Bussiness Network).

For the majority of the year, Sundown was a small time player, with a market share much lower than Angler, Nuclear, Neutrino, RIG, and even the Magnitude EK.

But as Nuclear operators shut down in April, as the Angler EK was taken down by Russian police, and as the Neutrino exploit kit went private to cater only to a limited private clientele, Sundown found itself as one of the Top 3 remaining exploit kits on the market.

For most of its existence, the exploit kit has been known as the king of copy-paste, with the vast majority of its exploitation routines being stolen from Angler, Nuclear, or RIG.

As it found itself alone at the top of the market, things started to change this autumn, as Sundown operators realized they had to diversify their arsenal if they wanted to keep their position for longer.

Sundown now hides exploits as PNG files

According to Trend Micro, one of the changes the Sundown operators added was the usage of steganography to hide the “exploit packages,” which are the files that contain the exploit code delivered to users.

Until recently, Sundown operators never bothered to mask these files. Security researchers looking at traffic logs could easily identify the Sundown exploit package by looking at URLs, which often contained files ending in .SWF or .XAP extensions, specific to Flash and Silverlight exploits.

After this recent update, Sundown now hides these exploits as mundane PNG files. The file’s header says the file is a PNG image, but its content contains the actual exploit. Sundown traffic is now much harder to detect, and researchers have to put more work in unmasking Sundown operations, just as its operators wanted.

Sundown took inspiration from previous steganography campaigns

This addition of steganography in Sundown operations was spotted two days ago and appears to have been inspired by previous three malvertising campaigns.

The first is the massive AdGholas malvertising campaign, which ran on the Angler and Neutrino exploit kits, the second is the GooNky malvertising campaign, and the third is a malvertising campaign that delivered the CryLocker ransomware via the RIG exploit kit.

In all cases, the crooks behind these malvertising campaigns had used steganography to deliver PNG images to victims, which contained malicious code that scanned their computer, and later delivered downloaded malware.

The most successful of these campaigns was the AdGholas campaign, which raged on undetected for almost a year. The success of those campaigns has apparently convinced the Sundown gang to run a few experiments of their own.

By disguising malicious content as PNG files, Sundown, is now following the new trend that has slowly taken hold of the exploit kit market in the past year. All chances are that it will continue to use steganography, at least until security firms find a way to quickly identify malicious PNG files and block them.

In the meantime, stay safe from malvertising campaigns by employing an antivirus and ad blocker in your browser. PS: Don’t forget to whitelist the sites you like. Ads help keep websites alive.

Source:https://www.bleepingcomputer.com/

The post Steganography Is Very Popular with Exploit Kits All of a Sudden appeared first on Information Security Newspaper | Hacking News.

During the past year, attackers have shifted their gaze towards online e-commerce platforms, where they found a fertile ground for collecting payment card data, which in most cases, they later sell on underground hacking and carding forums.

With over 5,700 websites currently infected with malware, and with over 100 of those infected with the recently discovered MageCart malware, hacking e-commerce sites has become in recent months a common occurrence.

Magento malware turns to steganography

Sucuri, a US-based web security firm, says that a week doesn’t go by without one of their researchers discovering a new payment-card-stealing malware.

Detailing the most recent malware they found, the company says they’ve come across a variant that employs steganography to exfiltrate stolen data.

Steganography is the technique of hiding text data inside an image’s source code. Among hacking groups, the technique is not very common because it’s incredibly difficult to introduce text inside an image’s source code without corrupting the actual image file.

A security researcher opening the file would easily detect something strange and check the image inside a text editor. Because of this, very few attackers employ this tactic.

Malware infection occurs in Cc.php file

Sucuri says it came across a Magento store that had been compromised by attackers, who modified a core CMS file, Cc.php, tasked with handling credit card data.

The attackers added extra code to this file which recorded the payment card details users entered in the checkout form and saved it at the end of a local image.

What was strange about this case is that attackers managed to cram a large number of payment card details inside the image without altering its content.

While attackers that deploy steganography choose to alter simplistic images in order to avoid corrupting the data, in this case the hackers modified a high-resolution file, which in most cases would have been very easily to mess up.

Image looked like any other product photo

“The most interesting fact is that this image was related to products sold on the victim website,” Sucuri’s Ben Martin explains. “Most website owners would be none the wiser if they came across this image and opened it to make sure it worked.”

At this point, the attacker only had to access this image, download it, and extract the data found at the end of the JPG’s source code.

If the website owner would have inspected the site’s logs for suspicious activity, he would have seen “another” site visitor download “another” image, which for some stores happens thousands of times per hour.

Magento hackers have used steganography before, this past winter, when they used the same technique to exfiltrate payment card details from sites they infected and tricked admins into thinking they were running up-to-date versions.

Image that contained the stolen credit card details

The post Magento Malware Uses Steganography to Steal Payment Card Data appeared first on Information Security Newspaper | Hacking News.