Threat actors are using steganography, the art of hiding data within seemingly harmless files to embed malicious code inside JPG images. These images, when delivered via email attachments, social media, or compromised websites, contain PowerShell scripts hidden in the image’s EXIF metadata. Once triggered, the code silently downloads and executes additional malware, including ransomware, without being detected by traditional antivirus solutions.
This multi-stage technique allows attackers to deploy fully undetectable (FUD) ransomware using ordinary-looking images, making detection extremely difficult.
How the Attack Works
- Initial Delivery: The victim receives a JPG image file via phishing email or another vector. It looks normal on the surface.
- Stealth Execution: The image contains an obfuscated PowerShell script within its metadata. It may be paired with an Office document with macros to trigger the attack.
- Payload Download: The script fetches a second image file containing a Base64-encoded .NET ransomware payload.
- Execution: Once decoded and executed, the payload encrypts files and may also drop Remote Access Trojans (e.g., LimeRAT, AgentTesla, Remcos).
- Evade Detection: By avoiding known signatures and using encrypted loaders or “cryptors,” attackers remain under the radar of most endpoint detection systems.
What Can You Do
- Disable macros in Office documents
- Use advanced email security solutions
- Maintain offline and regular backups
- Implement behavioral detection tools
- Educate users about phishing and steganographic threats
Why This Matters
This emerging threat underscores the need for organizations to fortify their cybersecurity measures. Traditional signature-based detection methods may no longer suffice against such sophisticated attacks. Implementing advanced email filtering that can analyze embedded image components, disabling automatic macro execution in Office documents, maintaining regular offline backups, and deploying security solutions with behavioral analysis capabilities are critical steps. As attackers continue to refine their techniques, staying ahead requires proactive and adaptive security strategies.
