Stegomalware

Stegomalware is a type of malware that uses steganography to hinder detection. Steganography is the practice of concealing a file, message, image, or video within another file, message, image, video or network traffic. This type of malware operates by building a steganographic system to hide malicious data within its resources and then extracts and executes them dynamically. It is considered one of the most sophisticated and stealthy ways of obfuscation.

The term of "stegomalware" was introduced by researchers in the context of mobile malware and presented at Inscrypt conference in 2014.^[1] However, the fact that (mobile) malware could potentially utilize steganography was already presented in earlier works: the use of steganography in malware was first applied to botnets communicating over probabilistically unobservable channels,^[2] mobile malware based on covert channels was proposed in the same year.^[3] Steganography was later applied to other components of malware engineering such as return-oriented programming^[4] and compile-time obfuscation,^[5] among others.^[6]

The Europol-supported CUING initiative monitors the use of steganography in malware.^[7]

The methods used by stegomalware have been used in a number of attacks: Duqu (to hide malicious payloads in JPEG images for stealthy data exfiltration), Zeus/Zbot (to mask command-and-control (C&C) traffic inside image files), Waterbug (to inject malicious code into WAV files).^[8]