stegomalware

{{Short description|Type of malware}}

Stegomalware is a type of malware that uses steganography to hinder detection. Steganography is the practice of concealing a file, message, image, or video within another file, message, image, video or network traffic. This type of malware operates by building a steganographic system to hide malicious data within its resources and then extracts and executes them dynamically. It is considered one of the most sophisticated and stealthy ways of obfuscation.

The term of "stegomalware" was introduced by researchers in the context of mobile malware and presented at Inscrypt conference in 2014.{{cite conference |title=Stegomalware: Playing Hide and Seek with Malicious Components in Smartphone Apps |first1=Guillermo |last1=Suarez-Tangil |first2=Juan E |last2=Tapiador |first3=Pedro |last3=Peris-Lopez |year=2014 |conference=10th International Conference, Inscrypt |conference-url=http://www.inscrypt.cn/ |editor=Dongdai Lin |editor2=Moti Yung |editor3=Jianying Zhou |volume=8957 |book-title=Information Security and Cryptology |publisher=Springer International Publishing |location=Beijing, China |pages=496–515 |isbn=978-3-319-16745-9|doi=10.1007/978-3-319-16745-9_27 }} However, the fact that (mobile) malware could potentially utilize steganography was already presented in earlier works: the use of steganography in malware was first applied to botnets communicating over probabilistically unobservable channels,{{cite conference |last1=Nagaraja |first1=Shishir |last2=Houmansadr |first2=Amir |last3=Piyawongwisal |first3=Pratch |last4=Singh |first4=Vijit |last5=Agarwal |first5=Pragya |first6=Borisov |last6=Nikita |date= May 2011 |title=Stegobot: A Covert Social Network Botnet |publisher=Springer Berlin Heidelberg |volume=6958 |pages=299–313 |conference=13th International Conference Information Hiding |book-title=Lecture Notes in Computer Science|doi=10.1007/978-3-642-24178-9_21 }} mobile malware based on covert channels was proposed in the same year.{{Citation|last1=Wendzel|first1=Steffen|title=Low-Attention Forwarding for Mobile Network Covert Channels|date=2011|work=Communications and Multimedia Security|pages=122–133|publisher=Springer Berlin Heidelberg|language=en|doi=10.1007/978-3-642-24712-5_10|isbn=9783642247118|last2=Keller|first2=Jörg|doi-access=free}} Steganography was later applied to other components of malware engineering such as return-oriented programming{{cite conference |author=Lu, Kangjie, Siyang Xiong, and Debin Gao |title=Ropsteg: Program steganography with return oriented programming |year=2014 |conference=4th ACM conference on Data and application security and privacy}} and compile-time obfuscation,{{cite journal |author=Schrittwieser, Sebastian |title=Covert Computation—Hiding code in code through compile-time obfuscation |year=2014 |journal=Computers & Security|volume=42 |pages=13–26 |display-authors=etal|doi=10.1016/j.cose.2013.12.006 }} among others.{{cite journal |author1=Andriesse, Dennis |author2=Herbert Bos |name-list-style=amp |title=Instruction-Level Steganography for Covert Trigger-Based Malware |year=2014 |journal=Detection of Intrusions and Malware, and Vulnerability Assessment}}

The Europol-supported [https://cuing.eu/ CUING initiative] monitors the use of steganography in malware.{{Cite journal|last1=Mazurczyk|first1=Wojciech|last2=Wendzel|first2=Steffen|date=2017-12-27|title=Information hiding: Challenges for forensic experts|journal=Communications of the ACM|volume=61|issue=1|pages=86–94|doi=10.1145/3158416|s2cid=21118544|issn=0001-0782}}

The methods used by stegomalware have been used in a number of attacks: Duqu (to hide malicious payloads in JPEG images for stealthy data exfiltration), Zeus/Zbot (to mask command-and-control (C&C) traffic inside image files), Waterbug (to inject malicious code into WAV files).{{Cite journal|lang=en|url=https://www.sciencedirect.com/science/article/pii/S0165168425000039|title=A comprehensive survey on stegomalware detection in digital media, research challenges and future directions|journal=Signal Processing|doi=10.1016/j.sigpro.2025.109888 |bibcode=2025SigPr.23109888B |access-date=2025-02-17|last1=Badar |first1=Laila Tul |last2=Carminati |first2=Barbara |last3=Ferrari |first3=Elena |date=2025 |volume=231 |doi-access=free }}