Stegoloader, a stealthy Information Stealer that exploits steganography

The authors of the Stegoloader malware are exploiting digital steganography to keep the information-stealing under the radar and avoid detection.

Malware authors are prolific professionals always searching for techniques that can allow them to hide their malicious codes from detection. This week the security researchers at Dell SecureWorks discovered a new strain of malware dubbed Stegoloader, that exploits steganography as an evasion technique. Once infected the victim’s machine, a specific loader module load a PNG file that contains the malicious code from a legitimate website.

“Malware authors are evolving their techniques to evade network and host-based detection mechanisms. Stegoloader could represent an emerging trend in malware: the use of digital steganography to hide malicious code. The Stegoloader malware family (also known as Win32/Gatak.DR and TSPY_GATAK.GTK despite not sharing any similarities with the Gataka banking trojan) was first identified at the end of 2013 and has attracted little public attention” states the post published by the Dell SecureWorks Counter Threat Unit.

The experts at Dell confirmed that the malware was used as a data stealer to compromise systems of companies operating in various industries, including healthcare, education, and manufacturing.

The Stegoloader malware is used by threat actors to steal system information and load additional components that gather information on the targeted machine, including recently opened documents, browser history, list installed programs,installation files for the IDA development and analysis platform.

The experts also noticed that the malware drop the Pony password stealing malware that is used to steal passwords for most popular applications used for protocols such as POP, IMAP, FTP, and SSH.

“Stegoloader’s Pony password stealer module is a copy of the Pony Loader information stealing malware. Since the leak of Pony Loader’s source code on underground forums at the end of 2013, it has been used in various operations. This module can steal passwords for most popular applications used for protocols such as POP, IMAP, FTP, and SSH. The information stolen by the Pony password stealer module is packaged and sent to the main module’s C2 server using the same protocol as the main module.” continue the post.

The threat actor behind the Stegoloader Malware uses steganography to hide executable code inside an image file, the technique is now new and other bad actors in the wild exploited it, Miniduke, the Lurk downloader, VawTrak and Zeus are just a few sample of malware that in different ways used the technique.

The experts highlighted that victims were mainly infected by downloading pirated software from third-party sites instead phishing attacks or by using malicious exploit kits.

“The only infection vector I can confirm is through software piracy tools. I suspect once the attacker gains a foothold on an interesting network, they can deploy additional modules to spread further but I have not been able to find such module,” said senior security researcher Pierre-Marc Bureau.

The Stegoloader malware also implements evasion techniques to avoid investigation from law enforcement and security firms, it checks for example that its code isn’t running in an analysis environment.

It also checks for the presence of common tools used to analyze the presence of malware in the systems, including Wireshark and Fiddler.

“Before deploying other modules, the malware checks that it is not running in an analysis environment. For example, the deployment module monitors mouse cursor movements by making multiple calls to the GetCursorPos function. If the mouse always changes position, or if it does not change position, the malware terminates without exhibiting any malicious activity,” Dell said.

“In another effort to slow down static analysis, most of the strings found in the binary are constructed on the program stack before being used,” the report said. “This standard malware technique ensures that strings are not stored in clear text inside the malware body but rather are constructed dynamically, complicating detection and analysis.”

The Stegoloader main module is resident in the memory of the infected machine a memory as explained in the report.

“After the main Stegoloader module is downloaded and decrypted, the deployment module transfers execution to the main module, which resides in a memory area that has been allocated for this purpose. The deployment module is dormant until the main module finishes executing. When the main module terminates, the deployment module sends a last report to its C2 server indicating the main module has finished, and then it also terminates.”

Give a look to the report published by Dell.

Pierluigi Paganini

(Security Affairs – Stegoloader, Dell)