Stegoloader Malware Hides in Image Files To Steal Data

Dell SecureWorks has discovered what researchers say could represent an emerging trend in malware: the use of digital steganography -- the "art of inconspicuously hiding data within data" -- to hide malicious code.

The Stegoloader malware family first surfaced in 2013 but it didnEUt make much noise back then. Fast forward two years and there are multiple variants of the malware that Dell said EUstealthily stealsEU information from victim machines.

EUStegoloader's modular design allows its operator to deploy modules as necessary, limiting the exposure of the malware capabilities during investigations and reverse engineering analysis,EU Dell said in an alert. EUThis limited exposure makes it difficult to fully assess the threat actors' intent. The modules analyzed by CTU [Counter Threat Unit] researchers list recently accessed documents, enumerate installed programs, list recently visited Web sites, steal passwords, and steal installation files for the IDA tool.EU

You Get What You DonEUt Pay For

We asked Kowsik Guruswamy, CTO for cyberthreat protection firm Menlo Security, for his thoughts on the dangerous new malware strain. He told us with the recent discovery of Stegoloader, he sees several weaknesses in conventional detection-based malware prevention exposed.

EUFirst, note that the initial phase of the attack starts with the Stegoloader deployment module being installed on the user's machine,EU he noted. EUSo far, the only reported initial infection vector is when users unwittingly download Stegoloader from sites hosting EUsoftware piracy tools.EU Well, we hate to say EUit serves you rightEU but hey, you get what you don't pay for.EU

After it's installed on the target machine, the Stegoloader deployment module fetches the PNG image that contains the next phase of the attack. The PNG is hosted on a legitimate site that wouldn't be blocked by a Web security gateway, Guruswamy said.

MelonEUs State of the Web 2015: Vulnerability Report revealed 20 percent...

Comments are closed.