According to a brief blog post from researchers at TrendLabs, criminals have been using steganography to manage ZBOT infections by embedding configuration files within images of sunsets; or in some cases, images of cats.
From the post:
"The ZBOT malware, detected as TSPY_ZBOT.TFZAH, downloads a JPEG file into the affected system without the user’s knowledge. The user does not even see this particular image, but if someone did happen to see it, it would look like an ordinary photo..."
In addition to primary form of attack, the ZBOT variant also downloads a secondary payload, a Trojan that removes the X-Frames-Options HTTP header from the websites a user visits. The header option is used to prevent clickjacking attacks, and its removal means that websites that otherwise would prevent such a thing, can now be displayed within a frame.
TrendLabs says that ZBOT hasn't been linked to clickjacking in the past, but that doesn't rule out the possibility. Previously, the malware has been used in ransomware campaigns.
"The use of steganography, along with the inclusion of clickjacking-related malware, shows that established malware threats are still expanding their techniques and routines."
Jokes aside, one of the most dangerous things about Zeus malware and its variants is that the ability to modify them is endless. Modules and add-on code for this family of malware can sell for hundreds, even thousands of dollars, and enable abilities such as code injection, frame injection and form overlay, granular data harvesting, and more.
Steganography isn't a new attack vector, but in this case it's interesting because the configuration file is likely to bypass many defenses. Unless something like DPI is enabled on the network, it's going to be seen as a simple image to many of the security products out there.