Stegoloader Malware Hides in Images on Legit Sites

Security researchers have warned that a little-known malware family could spell a new trend emerging in the ongoing cybersecurity arms race: the use of digital steganography to hide malicious code.

Dell SecureWorks revealed its findings in a new report, Stegoloader: A Stealthy Information Stealer.

It details a malware family first identified in 2013, although little discussed in the white hat community.

The malware has been architected with several key features designed to make analysis and detection incredibly difficult – key among these being that it only deploys the modules it needs one by one, limiting exposure to investigators.

So far it has only been observed being distributed through software piracy sites, bundled with license key generators.

Once on a victim’s machine, it will then download its core component, a PNG image containing malicious encrypted code, hosted on a legitimate website.

The malware will download this image each time it runs, using steganography to extract the code from the image, so that it’s never saved to the hard disk. This further complicates detection efforts, according to Dell.

Stegoloader will then collect information about the victim’s machine and send it back to the C&C server. If the target looks promising, the hacker will then work out an attack plan and steal sensitive information from the machine.

Various modules included in the malware include one which obtains the machine’s IP address to check geographic location; one to send a list of recently opened documents to the attacker; and one which collects passwords for popular apps.

Perhaps the most interesting is a module designed to steal registration data and installation keys related to the IDA reverse engineering tool.

There could be yet more modules offering additional functionality, which researchers have yet to discover, Dell SecureWorks claimed.

“Although CTU researchers have not observed Stegoloader being used in targeted attacks, it has significant information stealing capabilities,” it added.

“Stegoloader is the third malware family that CTU researchers have observed using digital steganography. This technique might be a new trend because malware authors need to adapt to improved detection mechanisms.”

What’s Hot on Infosecurity Magazine?