Hello and welcome to the Monday, April 28th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, this weekend we had two interesting diaries that sort of played on each other.

First, Xavier talked about a piece of malware that encoded an executable as part of an image.

This technique usually called steganography does essentially adjust the value of individual pixels

in order to encode the particular binary that's supposed to be either exfiltrated or in this case

infiltrated, so it's more here about bypassing network defenses. The initial download

malware is actually encoded using Unicode characters, very common, as Xavier points out,

in order to make reverse analysis a little bit more

difficult. But then the real interesting part is the steganography part, where the attacker

sort of extracts the binary from individual pixel values. Often lately, I've seen steganography being used to refer to where an attacker just appends data to an image.

In my opinion, that isn't really sort of what steganography is all about because the data is still

clearly readable.

Steganography usually just means making these sort of subtle adjustments to existing files

in order to hide

that there is any additional data present.

And then the second diary this week was from DDA.

DDA, of course, famous for his Python scripts that analyze Malabar, and DDA is walking us

through how these tools can be used to analyze a piece of malware like this

that hides data in an image. The first tool that the DA is using is his PNG

dump tool. PNG is a compressed file format. So in order to get the raw pixel data that you

need here to extract the actual pixel data that you need here to extract the actual

...