During the last 10 years, many risk teams have employed stegomalware or different steganography-based strategies to assault organizations from all sectors and in all areas of the world. Some examples are: APT15/Vixen Panda, APT23/Tropic Trooper, APT29/Cozy Bear, APT32/OceanLotus, APT34/OilRig, APT37/ScarCruft, APT38/Lazarus Group, Duqu Group, Turla, Vawtrack, Powload, Lokibot, Ursnif, IceID, and many others.
Our analysis (see APTs/) exhibits that the majority teams are using quite simple strategies (a minimum of from an educational perspective) and identified instruments to bypass perimeter defenses, though extra superior teams are additionally utilizing steganography to cover C&C communication and knowledge exfiltration. We argue that this lack of sophistication is just not because of the lack of expertise in steganography (some APTs, like Turla, have already experimented with superior algorithms), however just because organizations aren’t capable of defend themselves, even in opposition to the best steganography strategies.
For that reason, now we have created stegoWiper, a software to blindly disrupt any image-based stegomalware, by attacking the weakest level of all steganography algorithms: their robustness. We’ve checked that it’s able to disrupting all steganography strategies and instruments (Invoke-PSImage, F5, Steghide, openstego, …) employed these days, in addition to probably the most superior algorithms accessible within the tutorial literature, primarily based on matrix encryption, wet-papers, and many others. (e.g. Hill, J-Uniward, Hugo). In truth, the extra refined a steganography approach is, the extra disruption stegoWiper produces.
Furthermore, our lively assault permits us to disrupt any steganography payload from all the photographs exchanged by a corporation by way of an online proxy ICAP (Web Content material Adaptation Protocol) service (see c-icap/), in actual time and with out having to establish whether or not the photographs comprise hidden knowledge first.
Utilization & Parameters
stegoWiper v0.1 - Cleans stego data from picture information
(png, jpg, gif, bmp, svg)Utilization: ${myself} [-hvc <comment>] <enter file> <output file>
Choices:
-h Present this message and exit
-v Verbose mode
-c <remark> Add <remark> to output picture file
Examples – Breaking steganography
stegowiper.sh -c "stegoWiped" ursnif.png ursnif_clean.png
The examples/ listing consists of a number of base photos which have been employed to cover secret data utilizing completely different steganography algorithms, in addition to the results of cleanign them with stegoWiper.
The way it works?
stegoWiper removes all metadata feedback from the enter file, and likewise provides some imperceptible noise to the picture (it does not matter if it actually features a hidden payload or not). If the picture does comprise a steganographic payload, this random noise alters it, so when you attempt to extract it, it should both fail or be corrupted, so steganomalware fails to execute.
We’ve examined a number of varieties (Uniform, Poisson, Laplacian, Impulsive, Multiplicative) and ranges of noise, and the most effective one when it comes to payload disruption and lowering the impression on the enter picture is the Gaussian one (see checks/ for a abstract of our experiments). It’s also price noting that, because the noise is random and distributed all around the picture, attackers can’t know easy methods to keep away from it. That is vital as a result of different authors have proposed deterministic alterations (similar to clearing the least important little bit of all pixels), so the attackers can simply bypass them (e.g. simply by utilizing the second least significaby bit).
Writer & license
This venture has been developed by Dr. Alfonso Muñoz and Dr. Manuel Urueña The code is launched beneath the GNU Common Public License v3.
