Stegoloader malware hides exploit code in images

Deployment module uses PNG file containing malware code from legitimate hosting site

Dell SecureWorks has released more information about Stegoloader, a form of malware that makes use of steganography, the art of hiding information within another message or image.

Believed to have been developed in 2012 and uncovered at the end of 2013, the malware extracts a deployment module from a PNG image file hosted on an otherwise legitimate website in order to complete its compromise of an infected machine.

"Stegoloader's modular design allows its operator to deploy modules as necessary, limiting the exposure of the malware capabilities during investigations and reverse engineering analysis. This limited exposure makes it difficult to fully assess the threat actors' intent," claim the Dell researchers in briefing paper.

The researchers at Dell said that they have not yet seen the technique used in a targeted attack. Instead, the malware appears to be largely propagated via illegal downloads, integrated with key generator apps that enable commercial software security to be cracked - although it could easily be adapted for more targeted attacks. In this way, it is able to evade heuristic detection by anti-virus and other security software.

The operators of the malware, they add, appear to be using the bridgehead in pirated software to target particular sectors, particularly healthcare, education and manufacturing.

"This malware family has affected multiple verticals, including healthcare, education and manufacturing. The malware has the characteristics of a stealthy and opportunistic information stealer. It has not been observed being used with exploits or spearphishing, making it more similar to 'mass market' commodity malware than to a tool used in targeted attacks," claims Dell.

Some variants of Stegoloader appear to have been used to display ads and install additional malware, particularly by downloading the Vundo malware to the affected PCs. "Stegoloader operators may install Vundo on a compromised system for additional monetary profit after they have extracted all the information they deem interesting," warns the company.

According to Dell, it is not the first malware to make use of steganography. The Lurk downloader used a similar technique, as well as the Neverquest version of the Gozi Trojan in order to hide information on its backup command-and-control server.

The stegoloader works as follows, according to Dell's analysis: "The image's URL is hard-coded in the binary. After downloading the image, Stegoloader uses the gdiplus library to decompress the image, access each pixel, and extract the least significant bit from the colour of each pixel.

"The extracted data stream is decrypted using the RC4 algorithm and a hard-coded key. Neither the PNG image nor the decrypted code is saved to disk, making the malware difficult to find via traditional disk-based signature analysis. The image's URL and the RC4 key vary in the samples analyzed by CTU [Counter-Threat Unit] researchers."

You may also like: