Stealthy Stegoloader Trojan in US Healthcare Blitz

Recently discovered malware which uses digital steganography to hide itself in .PNG files has been overwhelmingly targeted at US healthcare providers, according to Trend Micro.

The internet security giant studied the location of infected machines and the organizational type of victims of the Stegoloader trojan over the past three months.

Some 67% came from the US, followed by Chile (9%), Malaysia (3%), Norway (2%) and France (2%), it revealed in a blog post.

Healthcare organizations accounted for 43%, significantly more than the next most popular target of financial institutions (13%), manufacturing (9%) and oil and gas (3%).

Tellingly, all of the healthcare firms targeted came from the US, although the malware has yet to be observed in such an attack, Trend Micro threat response engineer, Homer Pacag, claimed.

The payload for three variants of the malware discovered thus far - TROJ_GATAK.SMJV, TROJ_GATAK.SMN, and TROJ_GATAK.SMP – is currently under analysis by the firm.

However, all three versions are downloaded by victims from piracy sites who think it’s a key generator.

“Once downloaded, it poses as a legitimate file related to Skype or Google Talk,” Pacag explained. “It eventually downloads the stock photo where a huge part of its routines is embedded.”

Stegoloader has been architected with several features designed to make it difficult to detect.

It has anti-VM and anti-emulation capabilities which help it avoid analysis by white hat tools, and it only deploys the modules it needs one by one, limiting exposure to investigators.

Healthcare organizations in the US have become a popular target for hackers of late.

A targeted attack against the nation’s second largest provider, Anthem, was discovered back in February – potentially exposing as many as 80 million records.

A month later, Premera Blue Cross was revealed to have suffered the same fate, possibly affecting around 11 million patients.

Some have claimed that the two attacks were carried out by the same state-sponsored operatives which targeted the OPM recently.

In a bid to encourage more effective third party risk management in the industry, the Heath Information Trust Alliance (HITRUST) announced last Friday an expansion of the use of the CSF Assurance program.

The program was designed to help healthcare organizations better evaluate and communicate their information privacy and security posture.

What’s Hot on Infosecurity Magazine?