Click Fraud Malware Found Lurking Inside Image Files

Written by

Researchers have discovered click fraud malware designed to “hide in plain sight” and evade traditional security tools by embedding data into an image file.

Lurk is a downloader which uses digital steganography – the art of hiding information in images, audio or video files, according to a Dell SecureWorks Counter Threat Unit (CTU) Threat Intelligence paper by Brett Stone-Gross.

“Lurk specifically uses an algorithm that can embed encrypted URLs into an image file by inconspicuously manipulating individual pixels. The resulting image contains additional data that is virtually invisible to an observer,” he wrote.

“It is unlikely that existing IPS/IDS devices could detect data that is concealed with digital steganography. As a result, Lurk may be able to evade network defenses and hide in plain sight.”

Lurk is comprised of two parts – a dropper DLL and a payload DLL, with the former’s main job being to extract and load the latter, he added.

Once the main payload DLL executes, it checks the victim computer for 52 different security products and apparently won’t install if it discovers one of 21 specific products.

“Steganography can make it exceedingly difficult to detect the presence of hidden information such as a configuration file, binary update, or bot command, especially in digital files,” concluded Stone-Gross.

“As a result, the use of steganography in malware may become more prevalent in the future.”

In related news, Dell SecureWorks researchers Pat Litke and Joe Stewart also released a paper last week to coincide with Black Hat in Las Vegas.

It details how hackers managed to hijack networks run by Amazon, Digital Ocean, OVH and others between February and May this year in order to commit cryptocurrency fraud.

In total, the CTU team discovered 51 compromised networks from 19 different ISPs.

“The hijacker redirected cryptocurrency miners' connections to a hijacker-controlled mining pool and collected the miners' profit, earning an estimated $83,000 in slightly more than four months,” they said.

The attackers used bogus BGP broadcasts to redirect traffic to their servers. However, the “overall threat is minimal”, according to CTU.

“ISPs should opt-in to the Resource Public Key Infrastructure (RPKI) service, which leverages the power of encryption to ensure that IP prefixes belonging to an ISP can only originate from specified ASNs,” they advised.

“From a cryptocurrency perspective, the easiest option for pool servers is to require miners to use the Secure Socket Layer (SSL) protocol. Miners should also implement server certificate validation.”

What’s hot on Infosecurity Magazine?