In early-December 2016, ESET released a study of new Malvertising campaigns, targeting large media outlets in the Netherlands, the Czech Republic, Canada, Britain, Australia, Spain and Italy. According to the company, these attacks have been active at least since 2014 and contain steganography techniques in their execution.

Steganography — the activity of hiding information within other information — has been used since antiquity and, in technology, it consists of inserting data into spaces that would be used by less relevant bits of files, especially media files (audio, video and images).

Stegano, the name given by ESET to this newly discovered threat, used advertisement images to hide JavaScript code, which is crucial to download several other malicious tools.

In general, images can be formed by channels — such as in the standards Bitmap (BMP), Portable Network Graphics (PNG) and Graphics Interchange Format (GIF) — or by layers, such as in the Joint Photographic Experts Group (JPEG), also named JPG.

In the case of layered files, as the name says, they are formed by layers of overlapping bits, with layer 7 having the components of greater detail in the image. The level of details falls in each layer, reaching level 0, which includes the information called LSB, Least Significant Bit.

Image reproduced from the presentation Stegosploit by Saumil Shah

Files formed by channels have colours which are usually divided using the RGBA format, containing channels with colour intensity set by hexadecimal values for Red, Green, Blue, and an alpha channel which determines the level of opacity for each bit. If a bit has 0% opacity, it is transparent; 100% means it is completely opaque. The alpha channel concentrates the largest amount of bits considered as LSB.

Hiding information in channel-based images brings some benefits such as: it increases data capacity; it is undetectable by traditional security tools; it is also invisible to the human eye and it is impossible to remove the hidden information in case the steganography is discovered.

Another advantage of this type of image is that, when it is generated, the integrity of the hidden information is maintained. This is because the process of generating files based on layers, such as JPEGs, contemplates image compression and, when compressing, it is common to lose bits. Something tolerable for a photo, but that makes an attack impossible if we consider that the hidden information is an exploit. Attacks with JPEG images require a process to re-evaluate the image to ensure that the hidden information is intact. Because of these problems, Stegano developers use PNG files in their attacks.

In the infection, the user accesses a web page on the Internet containing ads under the control of the attacker. ESET has identified the attack on ads similar to those reproduced below:

Images reproduced from ESET

By loading the page with the ad, it runs code that captures various pieces of information about the user’s machine (operating system, software in use and its versions, etc). This process is not necessarily an attack, and many legitimate ads collect similar information.

If the target has favourable conditions, the original image of the ad is replaced by its malicious version, very similar to the original one, but containing hidden JavaScript code in the alpha channel of the file.

The JavaScript code exploits a Microsoft Internet Explorer vulnerability, which allows the attacker to obtain more information about the operating system. This code also checks if there is any monitoring application running, such as those used by malware analysts who have virtualization systems, packet capture tools, sandboxing and other containment and analysis software.

Having finished this check, the script redirects the connection to a shortened URL — using the TinyURL service — where the Exploit Kit (EK) page used by Stegano is hosted. This EK is prepared to exploit three Adobe Flash Player vulnerabilities (CVE-2015–8651, CVE-2016–1019 and CVE-2016–4117), which allow for code execution in the context of the logged-in user. The EK selects which vulnerability to exploit according to the version of Adobe Flash Player installed.

After executing the EK, the malware re-checks for traces of monitoring software on the victim’s computer. If this search returns zero matches, the threat then downloads the encrypted payload, disguised as a GIF file.

As soon as it is decrypted, the payload — which can be made up of backdoors, banking trojans, spywares, file stealers and others — is put into activity in the operating system.

The use of steganography in malware is not recent. It is possible to identify this technique in Zbot and Duqu, where steganography was used to return to the attacker information hidden in images. Its use is also registered in Gatak, which downloads image files (from the command and control server) containing hidden scripts.

In July 2016, Proofpoint, in partnership with Trend Micro, identified that the use of steganography began to incorporate Malvertising attacks with the malware AdGholas, which uses obfuscation and redirection, similarly to Stegano.

The advantage of this infection method, particularly for targets using Microsoft Windows, is that the operating system maps the bits of the image through the gdiplus.dll library and transfers them to memory without distinction of what is the image or the code. Thus, it executes the code embedded in the image, regardless of the interaction with the user. And, by being in memory, there is still another benefit to the attacker: the operating system does not keep track of what the code has executed. This makes it more difficult to obtain information about JavaScript code activities.

Attacks like these are only possible because the digital advertising industry has yet to find ways to separate legitimate advertisers from fraudsters or malware developers. This condition permits that security publications now recommend that users do not interact with ads under any circumstances.

It is still easy to insert ads, on Ad Networks, unrelated to real products — we explored this problem in detail in an article of Tempest’s Blog. The survival of digital advertising depends on how the industry will face these threats.