A couple of weeks ago, the security researchers at Dell SecureWorks discovered a new strain of malware dubbed Stegoloader, that exploits steganography as an evasion technique. Once infected the victim’s machine, a specific loader module loads a PNG file that contains the malicious code from a legitimate website.
Stegoloader, which is active since 2012, was used to compromise systems of companies operating in various industries, including healthcare, education, and manufacturing.
“Looking at recent victims of the Stegoloader malware, we observed that majority of the infected machines counted for the last three months came from the United States (66.82%), followed by Chile (9.10%), Malaysia (3.32%), Norway (2.09%), and France (1.71%).” states a report from Trend Micro.
The experts speculate that Stegoloader could be a powerful weapon in the arsenal of hackers that are targeting healthcare organizations with the intent to compromise medical records.
“The reemergence of TROJ_GATAK and its apparent focus on certain regions and industries show that cybercriminals continually experiment with the creative uses of steganography for spreading threats.” continues the post.
The experts discovered several strains of the Stogoloader over the time, the malware is evolved across the months, but the routines from variants of past years remain the same.
The experts highlighted that victims were mainly infected by downloading key generators or keygens from third-party sites instead phishing attacks or by using malicious exploit kits.
Once downloaded, it poses as a legitimate file related to Skype or Google Talk and downloads the photo containing its routines.
The Stegoloader malware implements various evasion techniques to avoid investigation from law enforcement and security firms, it checks for example that its code isn’t running in an analysis environment.
Below the SHA1 hashes related to the Stegoloader malware:
TROJ_GATAK.SMJV
bce6a9368f7b90caae295f1a3f4d3b55198be2e2
b8db99cf9c646bad027b34a66bb74b8b0bee295a
d5d0a9ecf1601e9e50eef6b2ad25c57b56419cd1
TROJ_GATAK.SMN
2d979739fbf4253c601aed4c92f6872885f73f77
11f25bee63a5493f5364e9578fa8db9ed4c4b9c9
(Security Affairs – Stegoloader, healthcare)