The art of concealment: how hackers hide malware


Hackers use various techniques to conceal their malicious code to evade detection. Windows Defender stays pretty busy analyzing files, checking trusted certificates, and warning users about potentially malicious websites they may be trying to visit. Because of this, hackers are evolving their attack strategies to stay relevant in an ever-changing cybersecurity landscape.

Malware has always fascinated me. For this reason, I often find myself sitting in the shadows of the Internet among members of the hacker underworld, absorbing as much information as I can. It is intriguing to listen to how hackers problem-solve and propose new solutions that push their intrusive programs under the radar.

The thing is, hackers love a good challenge. Such is the art of hiding malware where you least expect it.

When my hacking journey first began in the late 90s, sending malicious files to an unsuspecting victim was child’s play. If you had money, you had an aftermarket Antivirus software. But most users didn’t have it, and those that did sometimes forgot to enable it, or disabled it so they could download pirated music, movies, and games off file-sharing networks. Nowadays, Windows Defender isn’t so easy to disable.

However, because of the impulsivity of human nature, people still crawl peer-to-peer (P2P) file-sharing sites looking for cracked software and pirated media and are more than willing to risk possible infection if it means that the files they’re searching for actually work.

In most cases, users must disable Windows Defender to run highly compressed installers. Hacking tools are immediately flagged as malicious and removed.

More importantly, Windows Defender alone contributes greatly to hardening Windows, including any aftermarket security software for extra measure. For this reason, a hacker’s creativity becomes the foremost tool in the hacker’s toolkit.

Steganography

Kaspersky reports that up to 50% of steganography attacks target industrial organizations. This sophisticated method consists of a cryptography technique for concealing malicious software inside seemingly innocent image files and audio files, although historically, Steganography has been used for data smuggling, by using images to hide sensitive information.

Images like JPEG and PNG are passive files since they store visual information and are not executable. Nevertheless, they can be edited to store data within their structure, which means they can be manipulated to conceal a payload or trigger other executables for an attack.

For example, attackers can trick users into unknowingly executing a malicious file by using the legitimate Windows archive manager, WinRAR.

For example, the attacker can configure WinRAR to archive malicious files that appear to be images. Once the image is opened, it will open as usual while running the malicious code. This technique is an effective way to establish a reverse shell on the victim's machine, allowing the attacker to assume full control of the device.

Least Significant Bit steganography

Another concealment method is called Least Significant Bit (LSB) steganography, which involves hiding malicious code or data within the pixels of an image. It involves converting the malicious code into a binary format. In turn, the binary data is embedded into the least significant bits of the pixel values.

To simplify how this works, each pixel in an image consists of three bytes for every color. If a pixel value for red is 11001011, an attacker could modify it to embed 1 bit of the overall malware code. The entire process would be repeated to accommodate every bit of the malicious code.

The image will appear exactly as it should, without any visual alterations, giving the impression that it is a legitimate and safe file. To extract the malicious code, the process is reversed to reassemble the malicious binary data from the least significant bits contained within the image. It’s certainly a lot to take in.

Keeping your antivirus up to date, your file detection enabled, and your firewall active can, in most cases, provide adequate protection against steganography attacks.

File splitting

Another concealment technique used for evading security auditing software like Windows Defender is called file fragmentation or file splitting. This method involves fracturing the file into multiple smaller portions that are often placed in different files or locations hidden on your operating system.

Think about it. If you were to take a text document and splice it into separate, independent parts, when you try to read any single segment of the text, the context may not be readily clear. This is how attackers are able to evade detection, slip past security audits, and reduce the possibility of causing suspicion.

The next phase is reassembly. It relies on a script or a loader tool to reassemble these fragments as they converge into a complete, executable file. As Windows users, when you factor in how security software automatically filters and warns users who are attempting to download and install executable files as potentially malicious, this method covertly bypasses it.

Droppers

This is interesting because this malware type has been making the news recently. Droppers are a multi-staged delivery system that awaits instructions from the attacker for downloading and deploying malware onto the target system.

Think of this as a malicious web installer, but it’s designed to hide on a target’s computer, awaiting instructions from the attacker to begin downloading and executing their malicious code – whatever the attacker needs. This also allows attackers to introduce other malware, each designed with multiple layers of evasion and obfuscation to evade detection and subsequent removal.

Like most malware, droppers are often disguised as other legitimate programs but are commonly found bundled with other software. For example, whenever a person downloads pirated software, there’s a high probability that a dropper has been compressed in the installation archive.

These are also often found as email attachments in phishing campaigns. If you don’t know the recipient, don’t download the file attachment. And if you’re brave enough to download pirated software, well, all I have to say is “good luck.”

Malicious CSS Rules

This attack vector involves encoding a malicious URL directly into the CSS (Cascading Style Sheets) file, in the same way that an attacker might embed a malicious link that directs the victim’s browser to download a malicious file:

Not encoded basic example: background-image: url('http://malicious-site.com/malware.exe');

In a nutshell, CSS is a style sheet language used to define the presentation and layout of HTML (Hypertext Markup Language) documents, including websites and web applications.

In an effort to try to evade “Simple String Matching,” or filter systems used to detect exact string matches for identifying malicious content, attackers circumvent filters by using URL encodings like Base64 and Hexidecimal for obfuscation. Altering the appearance of URLs in CSS files can allow attackers to bypass these detection systems and get their malicious content out there.

Base 64 encoding example: background-image: url('data:text/plain;base64,aHR0cDovL21hbGljaW91cy1zaXRlLmNvbS9tYWx3YXJlLmV4ZQ==');
Hexidecimal encoding example:background-image: url('\68\74\74\70\3A\2F\2F\6D\61\6C\69\63\69\6F\75\73\2D\73\69\74\65\2E\63\6F\6D\2F\6D\61\6C\77\61\72\65\2E\65\78\65');

Fun fact: A few years ago, while researching a topic for a news article and simultaneously exploring certain Google Dorks, I stumbled upon exposed sensitive server directories that were not intended to be publicly accessible.

Unknowingly, I had copied one of the URLs to an unprotected parent directory to my clipboard. Later, when I was embedding a hyperlink to cite a source in one of my articles, I pasted the URL without realizing my mistake.

Fortunately, my editor caught the error before the article was published. Otherwise, anyone who clicked the link would have been redirected to an unprotected parent directory, potentially exposing sensitive information and possibly getting me fired.

While everyday users do not have direct control over the security of CSS files, website owners need to enforce a strict content security policy. Implementing CPS headers to instruct the CSS file to disallow malicious CSS code from being executed from untrusted sources is key.

While the majority of the examples herein primarily summarize remote attacks, my curiosity is burning because now I am wondering, what about local or physical attacks?

I’m talking about physical Rubber Ducky USB attacks. Malicious USB drops, and all manner of Insider threats that penetrate the physical layer of security with hidden malware.

Let’s explore that together sometime.