CNR Institutional Research Information System

Modern malware increasingly takes advantage of information hiding to avoid detection, spread infections, and obfuscate code. A major offensive strategy exploits steganography to conceal scripts or URLs, which can be used to steal credentials or retrieve additional payloads. A recent example is the attack campaign against the Magento e-commerce platform, where a web skimmer has been cloaked in favicons to steal payment information of users. In this paper, we propose an approach based on deep learning for detecting threats using least significant bit steganography to conceal malicious PHP scripts and URLs in favicons. Experimental results, conducted on a realistic dataset with both legitimate and compromised images, demonstrated the effectiveness of our solution. Specifically, our model detects ~100% of the compromised favicons when examples of various malicious payloads are provided in the learning phase. Instead, it achieves an overall accuracy of ~90% when in the presence of new or obfuscated payloads.

Revealing MageCart-like Threats in Favicons via Artificial Intelligence

Massimo Guarascio;Marco Zuppelli;Nunziato Cassavia;Luca Caviglione;Giuseppe Manco
2022

Abstract

Modern malware increasingly takes advantage of information hiding to avoid detection, spread infections, and obfuscate code. A major offensive strategy exploits steganography to conceal scripts or URLs, which can be used to steal credentials or retrieve additional payloads. A recent example is the attack campaign against the Magento e-commerce platform, where a web skimmer has been cloaked in favicons to steal payment information of users. In this paper, we propose an approach based on deep learning for detecting threats using least significant bit steganography to conceal malicious PHP scripts and URLs in favicons. Experimental results, conducted on a realistic dataset with both legitimate and compromised images, demonstrated the effectiveness of our solution. Specifically, our model detects ~100% of the compromised favicons when examples of various malicious payloads are provided in the learning phase. Instead, it achieves an overall accuracy of ~90% when in the presence of new or obfuscated payloads.
2022
Istituto di Calcolo e Reti ad Alte Prestazioni - ICAR
Istituto di Matematica Applicata e Tecnologie Informatiche - IMATI -
Inglese
6th International Workshop on Criminal Use of Information Hiding congiuntamente con la 17th International Conference on Availability, Reliability and Security (ARES 2022)
1
7
7
https://dl.acm.org/doi/abs/10.1145/3538969.3544437
Sì, ma tipo non specificato
23-26/08/2022
Vienna, Austria
information hiding
stegomalware
Ai
malware
cyber security
machine learning
5
restricted
Guarascio, Massimo; Zuppelli, Marco; Cassavia, Nunziato; Caviglione, Luca; Manco, Giuseppe
273
info:eu-repo/semantics/conferenceObject
04 Contributo in convegno::04.01 Contributo in Atti di convegno
   Secure Intelligent Methods for Advanced RecoGnition of malware and stegomalware
   SIMARGL
   H2020
   833042
04.01 Contributo in Atti di convegno
File in questo prodotto:
File Dimensione Formato  
prod_468206-doc_190575.pdf

solo utenti autorizzati

Descrizione: Revealing MageCart-like Threats in Favicons via Artificial Intelligence
Tipologia: Versione Editoriale (PDF)
Licenza: Nessuna licenza dichiarata (non attribuibile a prodotti successivi al 2023)
Dimensione 1.95 MB
Formato Adobe PDF
  Visualizza/Apri   Richiedi una copia
1.95 MB Adobe PDF   Visualizza/Apri   Richiedi una copia

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.14243/448656
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact