Inplainsight
We obtained an enforcement order on one of our high priority targets' email account.
They have been sending mysterious e-mails to an associate with no subject and no message, although there is an obscure stock image from the internet attached to each e-mail we've seen.
We suspect they are using steganography to obfuscate (hide) meaningful information within the otherwise insignificant image attachments.
Surveilling the target's laptop use in Starbucks via shoulder surfing has revealed that they use Stegosaurus, a bespoke online steganography tool.
We've attached an image file from an e-mail that we believe has had something encoded into it by the target. The idea behind steganography is to implant something and not make it obvious to the naked eye (or ear).
Please tell us what the HIDDEN MESSAGE within the specimen image provided is.
Stegosaurus: https://mystegosaurus.co.uk/
Extremely unfortunately, the Stegosaurus website is no longer available. None of the other steganography tools I tried were able to decode the image, so I decided to transition to using a real local tool: the Stego Toolkit.
-
sudo docker pull dominicbreuker/stego-toolkit
-
sudo docker run -it -v $(pwd):/data dominicbreuker/stego-toolkit /bin/bash
-
pngcheck specimen-image.png
confirms that the image is a PNG file. -
zsteg specimen-image.png
to confirm that steganography is being used. This is the output:imagedata .. text: "ejn\"\"\"..." b1,bgr,msb,xy .. text: "txt\rsecretmessagee" b2,r,msb,xy .. text: "wu]W}_(\"*~}_*" b2,g,lsb,xy .. file: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 21.17 b2,g,msb,xy .. text: ["U" repeated 18 times] b2,b,lsb,xy .. file: locale data table b2,b,msb,xy .. text: ["U" repeated 18 times] b2,bgr,msb,xy .. text: ".C8.i\"(\"(\n" b4,r,lsb,xy .. text: "vvfvgfvfgvwf" b4,g,lsb,xy .. text: "#2\"3\"#33\"323#333EEEUDDDDDTDDfffwfgvfgwgwwvvfUUEUEEDTUTDUUUDUTTEUTUUDTEEUvgfwgvwgggvwvwvfvgvwggvwwwwwwgwvwgvvDUDDftUDTR\"#2!" b4,g,msb,xy .. text: "\"\"\"\"\"*\"\"fff" b4,b,lsb,xy .. file: raw G3 (Group 3) FAX, byte-padded b4,b,msb,xy .. text: "]UUU]U]U"
The
txt\rsecretmessagee
looks super shady, so we definitely want to pursue that. -
stegano-lsb reveal -i specimen-image.png -e UTF-8 -o output.txt
> In theory, this command should have worked, but the Docker image was using outdated dependencies, so the Stegano library errored out when running it:Traceback (most recent call last): File "/opt/Stegano/stegano-lsb", line 94, in <module> data = tools.base642binary(secret) File "/opt/Stegano/stegano/tools.py", line 100, in base642binary b64_fname += '===' TypeError: unsupported operand type(s) for +=: 'NoneType' and 'str'
So I had to go and drop a quick PR to fix the issue. In the meantime, I needed another way to extract the hidden message.