A couple of weeks ago, the security researchers at Dell SecureWorks discovered a new strain of malware dubbed Stegoloader, that exploits steganography as an evasion technique. Once infected the victim’s machine, a specific loader module loads a PNG file that contains the malicious code from a legitimate website.
Stegoloader, which is active since 2012, was used to compromise systems of companies operating in various industries, including healthcare, education, and manufacturing.
“Looking at recent victims of the Stegoloader malware, we observed that majority of the infected machines counted for the last three months came from the United States (66.82%), followed by Chile (9.10%), Malaysia (3.32%), Norway (2.09%), and France (1.71%).” states a report from Trend Micro.
The experts speculate that Stegoloader could be a powerful weapon in the arsenal of hackers that are targeting healthcare organizations with the intent to compromise medical records.
“The reemergence of TROJ_GATAK and its apparent focus on certain regions and industries show that cybercriminals continually experiment with the creative uses of steganography for spreading threats.” continues the post.
The experts discovered several strains of the Stogoloader over the time, the malware is evolved across the months, but the routines from variants of past years remain the same.
The experts highlighted that victims were mainly infected by downloading key generators or keygens from third-party sites instead phishing attacks or by using malicious exploit kits.
Once downloaded, it poses as a legitimate file related to Skype or Google Talk and downloads the photo containing its routines.
The Stegoloader malware implements various evasion techniques to avoid investigation from law enforcement and security firms, it checks for example that its code isn’t running in an analysis environment.
Below the SHA1 hashes related to the Stegoloader malware:
(Security Affairs – Stegoloader, healthcare)