Trojan uses steganography to hide itself in image files

“The Dell SecureWorks CTU research team has recently analyzed a piece of malware that uses digital steganography to hide part of its malicious code.

Stegoloader, as they dubbed it, is not technically new. Previous versions of the malware have been spotted in 2013 and 2014, bundled with tools used to crack or generate software keys.

The researchers didn’t share how the initial deployment module of the malware arrives on victims’ computers this time around, but noted that it has not been observed being used with exploits or spearphishing, or in other targeted attacks. Also, that it has affected multiple verticals, including healthcare, education, and manufacturing.

Stegoloader’s main reason of being is to steal information from users, but it has a modular design, and the researchers themselves say that they might not have yet seen and analyzed all of its modules.

“Stegoloader’s modular design allows its operator to deploy modules as necessary, limiting the exposure of the malware capabilities during investigations and reverse engineering analysis. This limited exposure makes it difficult to fully assess the threat actors’ intent,” they explained.

The malware’s deployment module downloads and launches the main module, but not before attempting to make sure it does not find itself in an environment that’s used by malware analysts. In order to do that, it lists the running processes on the system and looks for a number of popular security products or reverse-engineering tools:

Only if it doesn’t find any of them it downloads the main module, which is hidden in a generic PNG image located on a legitimate hosting website.

“After downloading the image, Stegoloader uses the gdiplus library to decompress the image, access each pixel, and extract the least significant bit from the color of each pixel. The extracted data stream is decrypted using the RC4 algorithm and a hard-coded key,” the researchers explained. “Neither the PNG image nor the decrypted code is saved to disk, making the malware difficult to find via traditional disk-based signature analysis.”

The main module’s communication with its C&C server is encrypted. The malicious operator cand instruct the module to do a number of things such as collect information about the system, software, browser history and send it all to the C&C server, but also to “kill” itself and executed shellcode.

The additional modules that have been analyzed allow the malware to steal installed instances of the IDA (disassembler) software, list recently opened documents, discover the geographic location of the computer (i.e. its IP address), and steal passwords for popular applications used for protocols such as POP, IMAP, FTP, and SSH.

Stegoloader is not the first malware to use steganography to hide malicious code or information such as the address of the malware’s backup C&C, but the researchers note that it could represent an emerging trend in malware.

And they just might be right. In fact, as researcher Saumil Shah recently demonstrated at the Hack in the Box conference, it’s possible to insert both malicious code and exploit code that will trigger it into an image, and this type of delivery mechanism is still undetectable by current defensive solutions.”