Stegoloader malware hides in images to steal data

News by Rene Millman

Hard to detect Trojan steals data, described as "wolf in sheep's clothing"

Security researchers have uncovered a new type of modular malware that hides code in image files in order to steal sensitive data.

According to Dell SecureWorks' Counter Threat Unit (CTU), the Stegoloader malware uses a technique called digital steganography to hide its payload within an otherwise innocuous image.

Senior security researcher Pierre-Marc Bureau, discovered that the hackers behind the virus hid a core component of the malware within a portable network graphic (PNG) hosted on a legitimate site.

As Stegoloader executes, it downloads the core component and then uses digital steganography to extract the code from the image. The core component is never saved to the victim's computer, meaning that it is incredibly difficult to detect the malware through regular tools.

Writing in a blog post, the researchers said that the malware family, first identified in 2013, has only been observed being distributed through software piracy sites, bundled with licence key generators.

The malware collects data from a victim's machine to send back to the malware's command and control server. The malware has a modular form capable of evading most forms of detection.

"Malware authors are evolving their techniques to evade network and host-based detection mechanisms. Stegoloader could represent an emerging trend in malware: the use of digital steganography to hide malicious code," reads the advisory.

"Stegoloader's modular design allows its operator to deploy modules as necessary, limiting the exposure of the malware capabilities during investigations and reverse engineering analysis," the researchers added.

According to the researchers Stegoloader is stealthy in many aspects; it evades analysis tools and deploys only necessary modules, without writing them to disk.

“There are likely more Stegoloader modules than CTU researchers have observed, possibly used by threat actors to ensure persistence or to gain access to additional resources. Although CTU researchers have not observed Stegoloader being used in targeted attacks, it has significant information stealing capabilities.”

Tom Williams, lead investigative consultant at Context Information Security told that this is yet another example of cyber-criminals adopting techniques that were previously the preserve of state sponsored groups.

“However, sadly, this is not a new phenomenon. Recent examples of this technique being used in criminal guises include a Zeus variant and the Vawtrak malware, amongst others,” he added.

Williams said Stegoloader is interesting as it appears that this malware is more modular and cautious in nature, profiling a user first to gauge the potential risk of detection and also possible worth in terms of criminal gains.

“This means that a campaign could be more agile in nature, moving from something untargeted and speculative toward something more focussed and deliberate, depending on the results of the initial reconnaissance. This is definitely something that we could continue to see more regularly in the future, as malware continues to evolve and seek new ways to evade detection.”

Williams added that this is an extremely difficult threat to protect against. “There is no golden bullet to stop this type of attack. However, ensuring that systems are patched, that they have good endpoint protection and data encryption will assist in protecting against this type of threat.”

Dr Guy Bunker, senior vice president of Products at Clearswift told that it is not uncommon for malware today to install a loader then download the real payload from the internet in one form or another – “this is just another way that the payload is delivered”.

“The mechanism for hiding it in an image makes detection harder as the image can easily be changed. However, this is not too different from detection of polymorphic viruses - viruses that re-create variations of themselves,” said Bunker.

Gavin Reid, vice president of threat intelligence at Lancope told that stenography has never gone away – “it is used less for malware propagation and more to obscure the command and control instructions sent from an infected hosts to the controller”.

“A typical use -case would be a check-in by infected host for new instructions over a web request. If this check-in was observed by the security team then it would only see a web browser pulling down a graphic which is typical user activity happening all the time and would most likely avoid detection,” said Reid.

David Kennerley, senior manager for Threat Research at Webroot told SC that although the malware is seen to use many advanced techniques, the malware is still reliant on an initial executable downloader, arriving from the internet and communicating to its C2 server. 

“It's not been observed as targeting companies or individuals through advanced exploits or spear-phishing campaigns, it's relying on the good old internet user to do the dirty work on its behalf. Although defensive technology will always play an important role in stopping attacks, user education and solid corporate security practices will always be the best first line of defence,” he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews