Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Stegoloader, a stealthy Information Stealer that exploits steganography

The authors of the Stegoloader malware are exploiting digital steganography to keep the information-stealing under the radar and avoid detection. Malware authors are prolific professionals always searching for techniques that can allow them to hide their malicious codes from detection. This week the security researchers at Dell SecureWorks discovered a new strain of malware dubbed Stegoloader, that […]

Stegoloader, a stealthy Information Stealer that exploits steganography

The authors of the Stegoloader malware are exploiting digital steganography to keep the information-stealing under the radar and avoid detection.

Malware authors are prolific professionals always searching for techniques that can allow them to hide their malicious codes from detection. This week the security researchers at Dell SecureWorks discovered a new strain of malware dubbed Stegoloader, that exploits steganography as an evasion technique. Once infected the victim’s machine, a specific loader module load a PNG file that contains the malicious code from a legitimate website.

“Malware authors are evolving their techniques to evade network and host-based detection mechanisms. Stegoloader could represent an emerging trend in malware: the use of digital steganography to hide malicious code. The Stegoloader malware family (also known as Win32/Gatak.DR and TSPY_GATAK.GTK despite not sharing any similarities with the Gataka banking trojan) was first identified at the end of 2013 and has attracted little public attention” states the post published by the Dell SecureWorks Counter Threat Unit.

The experts at Dell confirmed that the malware was used as a data stealer to compromise systems of companies operating in various industries, including healthcare, education, and manufacturing.

The Stegoloader malware is used by threat actors to steal system information and load additional components that gather information on the targeted machine, including recently opened documents, browser history, list installed programs,installation files for the IDA development and analysis platform.

Stegoloader commands

The experts also noticed that the malware drop the Pony password stealing malware that is used to steal passwords for most popular applications used for protocols such as POP, IMAP, FTP, and SSH.

“Stegoloader’s Pony password stealer module is a copy of the Pony Loader information stealing malware. Since the leak of Pony Loader’s source code on underground forums at the end of 2013, it has been used in various operations. This module can steal passwords for most popular applications used for protocols such as POP, IMAP, FTP, and SSH. The information stolen by the Pony password stealer module is packaged and sent to the main module’s C2 server using the same protocol as the main module.” continue the post.

The threat actor behind the Stegoloader Malware uses steganography to hide executable code inside an image file, the technique is now new and other bad actors in the wild exploited it, Miniduke, the Lurk downloader, VawTrak and Zeus are just a few sample of malware that in different ways used the technique.

The experts highlighted that victims were mainly infected by downloading pirated software from third-party sites instead phishing attacks or by using malicious exploit kits.

“The only infection vector I can confirm is through software piracy tools. I suspect once the attacker gains a foothold on an interesting network, they can deploy additional modules to spread further but I have not been able to find such module,” said senior security researcher Pierre-Marc Bureau.

The Stegoloader malware also implements evasion techniques to avoid investigation from law enforcement and security firms, it checks for example that its code isn’t running in an analysis environment.

It also checks for the presence of common tools used to analyze the presence of malware in the systems, including Wireshark and Fiddler.

“Before deploying other modules, the malware checks that it is not running in an analysis environment. For example, the deployment module monitors mouse cursor movements by making multiple calls to the GetCursorPos function. If the mouse always changes position, or if it does not change position, the malware terminates without exhibiting any malicious activity,” Dell said.

“In another effort to slow down static analysis, most of the strings found in the binary are constructed on the program stack before being used,” the report said. “This standard malware technique ensures that strings are not stored in clear text inside the malware body but rather are constructed dynamically, complicating detection and analysis.”

The Stegoloader main module is resident in the memory of the infected machine a memory as explained in the report.

“After the main Stegoloader module is downloaded and decrypted, the deployment module transfers execution to the main module, which resides in a memory area that has been allocated for this purpose. The deployment module is dormant until the main module finishes executing. When the main module terminates, the deployment module sends a last report to its C2 server indicating the main module has finished, and then it also terminates.”

Give a look to the report published by Dell.

Pierluigi Paganini

(Security Affairs – Stegoloader, Dell)