John Stevenson by John Stevenson | | Blog

Crowdstrike security researchers have observed a new Cutwail spam campaign from the NARWHAL SPIDER group that uses image steganography – the practice of concealing a secret within a seemingly harmless image – to deliver malware to business users.

The exploit begins when a spam message is sent out with an Excel attachment. Opening the attachment and enabling macros begins the infection process.

The macro acts as the initial “bootstrap” launching a command shell. This downloads the “real” attack, code hidden inside an image concealed using steganography. The target of the campaign would appear to be Japanese businesses and the ultimate payloads are unknown but it is yet another in the growing list of exploits that take advantage of steganography.

The presence of secrets concealed in images using steganography cannot be detected meaning the exploit will pass unhindered past detection-based cyber security defences.

Users of Deep Secure Content Threat Removal (CTR) are protected at every stage of this exploit.

CTR uses content transformation rather than detection to render digital content threat free. CTR transforms all content crossing the security boundary, extracting only the business information from documents and images and discarding everything else. Brand new documents and images are then created and delivered to the user. 

As a consequence, threats such as malicious Office macros and exploits concealed in images using steganography are all neutralized whether they are delivered via email, Web or File Transfer.

Postscript: Deep Secure’s forthcoming version of CTR will be the world’s first cyber security solution to provide the capability to allow valid business macros to be preserved in transformed digital content and do so without compromising security.

View all posts