Stegoloader Malware Uses Malicious Code From Images To Steal Data

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Follow on: Google +

Dell SecureWorks describes hard to detect Stegoloader as ‘wolf in sheeps clothing’

Researchers have detailed a relatively unknown family of ‘modular’ malware which hides malicious code in image files to steal sensitive information such as passwords, location and document history.

This practice is known as ‘digital steganography’, and allows the Stegoloader family of malware to avoid detection using regular security tools.

Dell’s SecureWorks Counter Threat Unit (CTU) says the malware has been active since at least 2013 and has been distributed through pirated software and software licence key generators. Once active, the software downloads a PNG image from a legitimate website and extracts the hidden code to perform its main module.

Stegoloader malware

mona lisaSo far modules obtaining public IP addresses, recently accessed documents, public IP addresses, website history, passwords and installation files have been discovered. This modular design limits exposure if the malware is detected and makes it difficult to determine the attacker’s true motives.

Operators have so far mainly targeted systems in the healthcare, education and manufacturing industries, and it has been suggested some attacks might harvest personal data which could be to steal more information in the future.

Stegoloader is capable of avoiding host-based and network-based detection, a situation compounded by the fact that at no point is the malware ever saved to the hard disk, with all executions taking place in memory. Such behaviour has previously been observed in the Lurk and Neverquest malware families.

“Stegoloader is stealthy in many aspects; it evades analysis tools and deploys only necessary modules, without writing them to disk,” said the researchers. “There are likely more Stegoloader modules than CTU researchers have observed, possibly used by threat actors to ensure persistence or to gain access to additional resources. Although CTU researchers have not observed Stegoloader being used in targeted attacks, it has significant information stealing capabilities.”

How well do you know Internet security? Try our quiz and find out!