John Stevenson by John Stevenson | | Blog

Deep Secure Research Labs today demonstrated a cyber-attack scenario in which the attacker infiltrates a network, establishes a Command and Control (CnC) channel and steals data, totally bypassing any DLP system.

The highly evasive attack used a combination of social media tools and image steganography, ensuring it was undetectable by conventional cyber security defences.

“This demonstration should act as a wake-up call for anyone who believes they can protect their information assets using conventional detection-based cyber security defences”, said Oceanne Gallagher, Lead Researcher with Deep Secure. “The use of polyformatted files, fileless malware and image steganography combined with social media tools means the attack can completely evade detection.”

The kill chain used in the demonstration is published below.

Phase 1 – Initial Infection

In the initial infection phase, the attacker crafts a polyformatted file, one with the ability to be interpreted by different applications using different file formats. The file is sent to the victim as an email attachment. The file looks like an innocent Word Document, but it also contains fileless malware that bypasses signature-based anti-malware defences.

Using social engineering, the user is tricked into running the fileless malware.

This unpacks a backdoor that is disguised to be part of the Word Document and is invisible to the user.

The backdoor listens for a specified hashtag on Twitter for commands from the remote attacker.

Phase 2 – Reconnaissance

A seemingly harmless tweet includes an image in which a command to run a directory listing is concealed using steganography. The backdoor is listening on the hashtag, extracts the command from the image and runs it without the user being aware.

The result of the directory listing is embedded in an image using steganography and uploaded to a file-sharing site where the attacker downloads it and extracts the results of the directory listing. This process is repeated until the attacker finds the high-value data they want to steal.

Phase 3 – Exfiltration

Another seemingly harmless tweet includes an image in which a command to leak a file is concealed using steganography. The back door is listening on the hashtag and extracts the command from the image.

The document containing the high value data is split into small chunks by the backdoor and each chunk is encoded into an image using steganography.  The images are uploaded to a file sharing site, completely evading detection via DLP systems.

All the images are downloaded by the remote attacker and the and chunks of data extracted from each image. 

The content is then reassembled to reveal the high value data.

“We estimate that an attacker could easily exfiltrate a third of a million credit card records by concealing them in 50 images using steganography and remain totally undetected by conventional anti-malware and DLP systems,”  said Aaron Mulgrew, Security Architect at Deep Secure.


Users of Deep Secure Content Threat Removal are protected at every stage of this cyber kill chain.

Content Threat Removal (CTR) uses content transformation rather than detection to render digital content threat free. CTR transforms all content crossing the security boundary, extracting only the business information from documents and images and discarding everything else. Brand new documents and images are then created and delivered to the user.  As a consequence, threats concealed in polyformatted files, fileless malware or ransomware and exploits hidden in images using steganography are all neutralized. 

View all posts