As PC users become increasingly vigilant when it comes to protecting themselves from a constant onslaught of malware threats, hackers keep coming up with clever new ways to sneak past antivirus solutions and install malware on PCs around the world. In addition to creating new ways of distributing malware, hackers have also become increasingly adept at preventing security researchers from reverse engineering many new strains of malware by using a series of basic checks on an infected system to ensure it isn’t a sandbox analysis environment. A new form of malware, known as Stegoloader, combines a new way to deliver its malicious payload with anti-detection tools that have made it difficult for security researchers to figure out exactly how it works.
Although Stegoloader is only becoming a serious threat to PC users at this time, the malware was actually first discovered in 2013. This is in part due to how well the malware is at covering its own tracks and avoiding detection. Also known as Win32/Gatak.DR and TSPY_GATAK.GTK, Stegoloader gets its name from a computer science term called steganography–the practice of concealing information within other data while remaining in plain sight. In this case, the ‘other information’ is a PNG image file. Researchers from Dell SecureWorks were recently able to observe Stegoloader in action and have provided desperately needed insight into this dangerous malware variant. Stegoloader is a relatively simple modular design. The first part of the malware is tasked with performing two tasks.
First, the malware checks the infected machine to ensure it is a viable target and not a sandbox. This is accomplished by assessing the mouse cursor movement and querying active services for predefined security analysis tools. If Stegoloader detects any program or process that it deems suspicious, the program is immediately terminated to prevent security researchers from analyzing and reverse engineering the malware.
If the infected machine is deemed suitable for installation, the main module is downloaded. As previously mentioned, Stegoloader conceals the main module in a simple PNG image file that is typically hosted on a legitimate website. This is accomplished by hiding the source code for the Stegoloader module within the pixels of the image file. Using a hard-coded decryption key and RC4 algorithm, the data stream from this hidden information is combined into a functional piece of malware. To avoid being detected by common antivirus analysis tools, the malware does not save anything on the PCs hard drive.
Rather, Stegoloader saves everything to RAM–avoiding signature-based detection in the process. With Stegoloader fully loaded into system memory, the deployment module is terminated and the main malware module takes over control by communicating with a C&C server and performing predefined tasks. The main module is capable of loading other modules depending on the types of information found on the infected PC. This module can even go to sleep for long periods of time until reactivated by hard-coded internal processes or the C&C server. So far, Stegoloader has been successfully used by cybercriminals to steal passwords from a variety of applications, install other malware variants, execute shellcode, download Web browser histories, look at recently opened files, and even determine the infected PCs geographical location.
Although Stegoloader could be distributed using a variety of mediums, the only verified initial infection vector has been websites hosting software piracy tools.
When a user attempts to download these pirated software applications, they unknowingly download and install Stegoloader at the same time. What makes Stegoloader so dangerous is that modern intrusion detection and prevention systems are not designed to look for malicious code within image files. This means that there is currently no way to prevent infection by Stegoloader once the malware has been installed on a machine via a malicious download. In fact, some security researchers are convinced that Stegoloader has been used to commit clandestine acts of cybercrime since its initial discovery in 2013 while avoiding detection by PC users and security analysts alike. The techniques used by Stegoloader aren’t exactly new but this is the first time an active malware variant leveraging these techniques has been found in the wild. Last year, security researcher discovered a variant of Zeus that concealed code in JPG image files.
Two other malware strains, known as Lurk and Neverquest, were also discovered and both of these malware variants used PNG image files to conceal malicious code like Stegoloader. Interestingly enough, the hackers behind the Stegoloader campaign appear to very selective about the victims they choose to exploit using the malware. Although researchers haven’t been able to gain access to the C&C server used to control Stegoloader, it appears the hackers are targeting organizations in the education, healthcare and manufacturing industries in both the U.S. and around the world.
What is known is that once a system becomes infected, the hackers decide whether or not the system is worth exploiting. If not, Stegoloader is quietly removed from the system without leaving behind a trace. There is also some speculation that once an interesting target has been identified, the cybercriminals behind this campaign may be selling control of these hosts to unknown hackers to do whatever they want.
In some cases, these compromised systems could be used as botnets used to distribute other malware strains or support DDoS attacks (among other nefarious activities). To protect yourself from this threat, avoid downloading any pirated software as it may contain Stegoloader. Remember that most modern antivirus solutions will be unable to detect a Stegoloader installation meaning that your PC could be at risk. That said, make sure to keep the OS and all third-party applications updated in case the hackers behind Stegoloader decide to distribute the malware using other common infection vectors such as drive-by downloads and spam email attachments.