What’s Hidden in That Picture Online? Seeing Through “Stegware”

By on Oct 16, 2017

Steganography is the practice of hiding data within other text or data, and has been widely used for centuries, from ancient Greeks hiding messages within wax tablets, to agents concealing enemy information within doll orders during World War II, to prisoners-of-war blinking in Morse Code to get a message through. As they say, what’s old, is new again, and bad actors are now embracing stegware (a malicious operation involving steganography as a vehicle to conceal an attack).

The way steganography works is by concealing a payload inside the bits of a carrier file (e.g. an image). The interesting part is that this stealthy operation keeps the carrier untouched from a content perspective, so nobody will notice that the image has been modified.

 “Stegware refers to any malicious operation involving steganography as a vehicle to conceal an attack”

Recent cyberattacks have demonstrated the versatility of steganography in both brand new and well-known attacks. It is interesting to notice that steganography plays the role of a vehicle to conceal attacks, providing one big advantage to cybercriminals: it exponentially multiplies the success rate of the attack. For example: without steganography, security researchers may be able to tackle a malvertising campaign within the range of days or weeks. However, a campaign launched with the stealthy help of steganography could be running for months or years before it is detected.

Using steganography, cybercriminals can repump old attacks and rewrap them as stegware to bypass security solutions. They can then re-launch an attack and surpass several security checkpoints, as steganography provides the concealed channel to do so. Consequently, the ROI of a depreciated cyberattack tactic becomes interesting again.

“The usage of steganography exponentially multiplies the success rate of both brand new and well-known cyberattacks”


Steganography has been successfully used for data exfiltration, espionage, concealed communications, C2/botnets orchestration, malvertising and ransomware propagation, among others. Below is a list of examples how stegware operates in each case:

  • An employee decides to steal some sensitive files… With today’s security systems, this would be noticed using classic approaches. However, using steganography the sensitive files are encoded into images. By doing so, the images can be uploaded to social networks or cloud storage services without triggering red flags.
  • A group of cybercriminals is attempting to communicate and synchronize attacks from different countries… Since they can’t go through standard communication channels, they decide to conceal secret messages into profile pictures of social accounts. That way, they can emulate a ‘chat service’ by uploading and downloading unsuspicious profile photos using whitelisted services.
  • A massive botnet has been deployed and is awaiting instructions… Any attempt of communication from a central server to the bots is likely to be discovered, eventually. Instead of using a server, the bots are configured to periodically download the feed (text and images) of a public social account. By decoding steganographic data from the feed, instructions are extracted and executed.
  • A malicious campaign is planned to affect millions of users, but the perpetrators want to keep it as secret as possible… Since the goal is to exploit a browser vulnerability, they use steganography to conceal malicious code into advertisement images. To reach a large audience quickly, they submit the banner to networks that distribute the image over hundreds of websites. By doing so, the propagation is guaranteed and the campaign revenue is huge.
  • A new ransomware attack hides the communication between the victims and the perpetrator… Using steganography, information harvested from the target system is encoded into pictures uploaded to an image hosting website. Thanks to this tactic, the ransomware campaign deployment remains hidden for a longer period.

Unfortunately, all the examples stated above are based on real cases. Although many of these attacks were eventually spotted, the amount of time and effort required to detect and stop stegware was (and continues to be) huge. The result is a very good opportunity for cybercriminals.

Stay secure

Certainly, this is not a good picture to paint. However, if you can identify at least one scenario in which stegware might compromise your security, you will be one step ahead. By considering stegware as a possibility and following standard security practices, you will be able to start off on the right foot to mitigate this threat.

It’s with this in mind, we developed the McAfee Steganography Defense Initiative, to mitigate stegware and help you stay secure in multiple scenarios. If you want to learn more about this, visit the McAfee’s Steganography Defense Initiative page.

For more on “Stegware” and for updates from MPOWER17 follow us on Twitter at @McAfee.

About the Author

German Lancioni

German Lancioni, Innovation Software Architect is part of McAfee’s Office of the CTO working on solutions for upcoming cybersecurity threats. He actively engages in discovering future threats that may compromise different businesses and ideates solutions to proactively mitigate cyberattacks. In previous roles, German was leading McAfee’s Consumer Innovations to produce novel security products in the ...

Read more posts from German Lancioni

Subscribe to McAfee Securing Tomorrow Blogs