Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Kryptographie Glossary

Steganographie - Versteckte Kommunikation in digitalen Medien

Steganography refers to the art of hiding messages or data within seemingly innocuous carrier files (images, audio, video, documents) without revealing the existence of the hidden message. Unlike cryptography (which encrypts content), steganography conceals the existence of the communication. Attackers use it for malware command-and-control, data exfiltration, and watermarking.

Steganography is the art of hiding messages in such a way that an observer is unaware that a hidden message even exists. While cryptography encrypts the content (the message is visible but unreadable), steganography hides the very existence of the communication itself. In the world of security, steganography is an attack tool—used to hide malware payloads, C2 communications, and for data exfiltration.

Digital Steganography: Basic Principle

Least Significant Bit (LSB) – Most Common Method

Digital image: Each pixel = 3 bytes (R, G, B) with values 0–255

Original pixel: R=203 G=145 B=89 Binary: R=11001011 G=10010001 B=01011001

Insert hidden bits "1" "0" "1" into the last bit of each channel:

Modified pixel: R=11001011 G=10010000 B=01011001 Value: R=203 G=144 B=89

Visual difference: 0-1 color value difference - NOT visible!

Capacity:

  • 1 bit per color channel per pixel
  • 3 bits per pixel (RGB)
  • 1 MB image ≈ 1,000,000 pixels = 375,000 bytes = ~46 KB of concealable data

Carrier media for steganography

MediumFormats
ImagesJPEG, PNG, BMP, GIF (most common targets)
AudioWAV, MP3 (LSB or echo hiding)
VideoMP4, AVI (frame-based hiding)
DocumentsPDF, DOCX (metadata, invisible text, white text on white)
NetworkIP/TCP header fields (reserved bits, timestamp)
File systemNTFS Alternate Data Streams (ADS)

Malware and C2 Communication via Steganography

Scenario 1 - Malware Loads Payload from Image

  1. Attacker creates seemingly harmless image (Cat.jpg)
  2. C2 commands hidden in the image’s LSB bits
  3. Malware on compromised system:
    • Downloads Cat.jpg from a public website (Imgur, Twitter, etc.)
    • Reads LSB bits
    • Receives commands: "exfiltrate /home/user/.ssh/"
  4. Firewall sees: normal HTTPS download from Imgur → no alert!

Real malware families using steganography:

  • Duqu (2011): C&C data hidden in JPEGs
  • Stegano (2016): Malvertising via PNG with exploit code
  • Powload: PowerShell payload in images
  • Turla (APT): C2 communication via social media images

Scenario 2 - Data exfiltration via images

  1. Attacker on compromised system
  2. Embed sensitive data in JPEG image
  3. Send image via legitimate channel (Teams message, email attachment)
  4. External recipient: Extract image, read data
  5. DLP detects: harmless JPEG file → no alarm!

Network steganography

  • IPv4 ID field (16 bits): not always used → embed data
  • TCP timestamp: covert channel
  • DNS: queries with encoded data in subdomain names
  • ICMP payload: ping packets with hidden data
  • HTTPS timing: encoding bits using pauses between requests

Detection methods (steganography analysis)

Statistical Methods

Chi-square test for LSB steganography:

  • Natural images: statistical distribution of LSB bits is pseudo-random
  • LSB steganography: changes distribution → measurable deviation
  • Tools: StegExpose, StegSpy

RS analysis (Regular/Singular):

  • Analyzes local image statistics in groups of pixels
  • Also detects partial steganography

Visual Analysis

# With ImageMagick: display only the LSB channel
convert original.png -channel R -separate -threshold 0% lsb_red.png
# If steganographic: distinct patterns or texture in the LSB image

Tool: zsteg (detection in PNG/BMP)

gem install zsteg
zsteg image.png
# Analyzes: LSB, various bit planes, color channels
# Output: suspicious payloads or text

Tool: stegdetect (JPEG)

stegdetect image.jpg
# Detects: JSteg, JPHide, Invisible Secrets, OutGuess

Tool: ExifTool (metadata)

exiftool image.jpg
# Comment fields and EXIF data may contain payloads

NTFS Alternate Data Streams (Windows)

:: Display hidden ADS:
dir /r file.txt
:: Read contents:
more < file.txt:hidden.exe
:: All ADS in the directory (Sysinternals Streams):
streams -s C:\Users

Protective Measures

For Businesses

  • DLP with image analysis: Commercial DLP solutions scan images for steganography
  • Network monitoring: Unusual image file transfers (size, frequency)
  • Email gateway: Check attachments for steganography indicators
  • Strip metadata: Automatically process all incoming images through a metadata stripper (ImageMagick convert: -strip)

For Incident Response

  • Check for known steganography tools on compromised systems (steghide, OpenStego)
  • Unusual downloads: numerous JPEG requests to external domains
  • Strings in image files: strings image.png | grep -i "exec\|cmd\|powershell"
  • PCAP analysis: timing patterns in DNS/ICMP (covert channels)

For secure image processing

  • Always transcode images (JPEG → recompress JPEG → LSB data destroyed)
  • PNG → lossy format → LSB data destroyed
  • Strip metadata: Remove EXIF, ICC profiles, comments

Steganography detection in SIEM

# Sigma rule example:
title: Suspicious Steganography Tool Usage
detection:
  selection:
    Image|contains:
      - 'steghide'
      - 'openstego'
      - 'silenteye'
      - 'stegosuite'
  condition: selection

AWARE7 Services on This Topic

Penetrationstest
Back to Glossary Book a free consultation