Hiding in Plain Sight -- Advances in Malware Covert Communication Channels: Stegoloader and PlugX


Steganography, the art of concealing information in different types of medias, is a very old practice. Yet, it only recently started being used by malware operators on a large scale. Malware programmers and operators are increasing their efforts in developing covert communication channels between infected computers and their command and control servers. In addition to steganography, recent examples include hiding communication in inconspicuous network traffic such as DNS queries or HTTP 404 error messages. When used properly, these covert communication channels can bypass many automated detection mechanisms and render malware communication difficult to detect and block. From an attacker’s perspective, covert communication channels are a valuable addition because they allow messages to blend in with legitimate traffic and thus significantly lower the chance of being detected even when inspected by a human analyst. This presentation studies recent advances in covert communication channels used by real-world malware. First, we will show how steganography has recently been used in three different malware families (Stegoloader, Vawtrak, and Lurk). We will dive into the implementation details on how steganography is implemented and discuss the strengths and weaknesses of each approach. Furthermore, we will detail and compare the usage of inconspicuous carrier protocols for covert communication channels in malware. Examples will span commodity cybercrime as well as targeted attack malware. The cases that are discussed in this presentation are based on real life incidents. While it is easy to speculate how covert communication channels might be used by malicious actors, documentation of real-world cases is sparse. Yet, covert communication channels have arrived in both, the commodity cybercrime and targeted attack world. It is thus vital to understand the status-quo and identify current trends in cybercriminal and targeted attack malware. As such, we believe that it is mandatory to highlight what is currently being used in the wild.

Blackhat Europe. Amsterdam, The Netherlands