Data-stealing component of 'Stegoloader' hides in PNG images

Stegoloader has been active since 2012, but Dell SecureWorks recently found that the threat uses a clever tactic to hide its malicious code.
Stegoloader has been active since 2012, but Dell SecureWorks recently found that the threat uses a clever tactic to hide its malicious code.

A malware family that has been active since 2012, has recently been uncovered as using Portable Network Graphics (PNG) files to hide its core component, a data stealer, from security researchers and system administrators who might come across the threat.

According to a Monday blog post by Dell SecureWorks Counter Threat Unit (CTU), "Stegoloader” malware, also detected as Win32/Gatak.DR and TSPY GATAK.GTK, “represents an emerging trend in malware: the use of digital steganography to hide malicious code.”

In April 2014, the CTU discovered a downloader, dubbed “Lurk,” using this evasion technique, and at the end of last year a Neverquest malware variant leveraged PNG files as well to stay under the radar, Dell SecureWorks CTU explained. In a slight variation to this tactic, Malwarebytes and French security researcher Xylitol collaborated in February 2014 to release findings on a new variant of Zeus that used steganography by concealing malware code in JPG images.

Dell SecureWorks researchers revealed that, this time around, attackers using Stegoloader appeared to be targeting organizations in the health care, education and manufacturing sectors in the U.S. and abroad.

In a Wednesday interview with SCMagazine.com, Pierre-Marc Bureau, CTU senior security researcher, explained that, since traditional intrusion detection systems (IDS) and intrusion prevention systems (IPS) “are not structured to look for malicious code in image files,” the recent discovery regarding Stegoloader had evaded even researchers aware of the malware family – until four months ago, that is. In addition, the core component of the malware, its information-stealing module, is hidden in a PNG file which is hosted on a legitimate website.

While CTU researchers don't have access to the malware's command-and-control server, they've observed at least seven organizations that have been impacted by the malware. Over the years, 28 variants of Stegoloader have cropped up, Bureau added.

“There were hundreds of malware samples that were uploaded to VirusTotal over the last few years. Sadly, it's very hard to extrapolate the number of victims from that. This thing has gone through changes around 28 times,” Bureau said.  

Instead of spreading via common avenues, like phishing or exploit kit attacks, Stegoloader was observed being distributed through a software piracy website, where it was bundled with key generation tools, the CTU blog post said. The research team analyzed the malware's several malicious modules, and found ones dedicated to gathering geographic location data, as well as victims' browsing history, passwords, and lists of recently opened documents. Stegoloader also has a IDA-stealing module, meaning it “steals installed instances of the IDA software,” which is commonly used by malware researchers to analyze threats, the blog post explained.

In his interview with SCMagazine.com, Bureau added that threat actors leveraging the malware were selective as to when they engaged its data-stealing capabilities.

“They will decide what to do with the system once it's infected,” Bureau said. Stegoloader is designed to wipe any traces of itself from compromised systems which are not deemed of interest to attackers.

“It is my intuition that they might be selling compromised hosts to others. But they do not appear to be trying to build a big botnet. They are not trying to accumulate thousands upon thousands of infected hosts. I really think they are trying to find interesting networks [or] hosts,” he explained.

Bureau advised organizations to keep their AV up-to-date and to monitor traffic going to known malicious URLs. Patterns in Stegoloader's traffic were also observed by researchers (see Figure 1 in blog post) who analyzed reports sent from a compromised system to the C2 server. In the analysis, Dell SecureWorks also listed SHA1 hashes associated with the malware's malicious modules (see Table 3). 

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS