The digitalization of photography has made the distribution of present-day images a potential security threat through an esoteric practice called steganography. Here, we take a closer look at this modern-day evolution of an ancient practice.

Steganography is an evasive technique that aims to conceal a file within another file – in this case, an image – without altering the appearance of the original file to ensure secrecy.

The technique is often deployed by cybercriminals as a way to smuggle malware onto a network, but it can also be used for hiding nefarious activities such as data exfiltration.

In June 2020, for instance, researchers at cybersecurity firm Malwarebytes found malicious code hiding in the metadata fields of an image file, which was unknowingly being uploaded onto compromised e-commerce platforms for the purpose of siphoning consumer credit card information.

In other examples discovered by the company, image steganography has been deployed to mask configuration files that were deemed vital to the functionality and success of fraudulent operations.

This was most notably seen with a variant of the Zeus banking trojan, Malwarebytes reported in 2014.

How steganography is evading detection

Despite the diverse role that steganography plays in facilitating illicit activity online, malicious images remains an issue largely ignored by present-day security solutions like antivirus software.

That’s predominantly because an image file, unlike a document file, is not built with the capacity to run a program on a computer system.

“Downloading an image that contains steganography is not a problem in itself,” Jérôme Segura, director of threat intelligence at Malwarebytes, told SmartFrame.

“For the payload contained within the malicious image to execute, it must first be called by another program that will extract and then run it.”

An image that is used to conceal parts of ransomware code will therefore only become dangerous if a user is to run a second malicious program on the same system where the corrupted picture resides.

This can be done by tricking a user into clicking on a phishing link, for example, or by crafting an image so that it exploits a known vulnerability on a website, browser, or application. This was the case in Malwarebytes’ aforementioned unveiling of malicious code hiding within a picture’s metadata last June.

Without these two distinct parts, Segura said, corrupted image files can largely be downloaded onto machines without causing much harm.

This, however, has created a blind spot in the security practices of both organizations and websites. Images are not scanned adequately because the files being viewed are considered more of a passive threat that is simply too costly to sanitize in full.