Stopping the Evasive Stegoloader Malware

Updated July 8, 2015

The Stegoloader malware family was first identified at the end of 2013 but appears to have been active since 2012. This stealthy and opportunistic information-stealing malware uses digital steganography[1], hiding a core component of the malware within a portable network graphic (PNG) hosted on a legitimate site. As Stegoloader executes, it downloads that core component and then uses digital steganography to extract the code from the image.

What Is Stegoloader?

Stegoloader uses a few sophisticated techniques that allow it to evade detection, circumvent analysis tools and remain stealthy. For example, it has a modular design that allows the attacker to deploy different modules as necessary. The malware’s use of modules limits malware researchers’ ability to expose its capabilities and makes the investigation and reverse engineering analysis extremely difficult. As a result, it’s difficult to fully assess the attacker’s intent.

The first malware module to operate is the deployment module, which is responsible for the malware download, followed by the launch of the main module. The main module’s code is hidden inside a PNG image downloaded from a legitimate website. This module does not have persistence. Neither the PNG image it downloads nor the decrypted code is saved to disk, making the malware difficult to find via traditional signature-based antivirus solutions.

The malware will suspend the execution of its main program code if it detects any analysis or security tools running on the compromised system. Before executing, the malware checks that it is not running in an analysis environment by looking for mouse movements. If no mouse movements are observed, it is likely that it’s running in a synthetic environment, such as the ones used by malware sandbox analysis solutions. It will then stop executing. In addition, it looks for running processes of security products or tools used for reverse engineering and can terminate those. The malware also uses a known technique for the dynamic construction of code strings, which complicates detection and analysis.

How to Fight Stegoloader Malware

The Stegoloader malware is stealthy in many aspects: It evades analysis tools and deploys only necessary modules without writing them to disk. Therefore, discovery and mitigation become immensely difficult. In order to defend against this type of malware, advanced malware protection and mitigation is needed. This defensive approach combines integrated, multilayered defenses spanning the prevention, detection and response to break the threat life cycle and offer continuous protection.

Unlike signature-based antivirus solutions, this approach doesn’t require a signature of the malicious file to identify the threat. In fact, no prior knowledge of the threat is needed: There is no need to know how the threat operates, which command-and-control (C&C) servers it tries to communicate with or which components are involved. Instead, it disrupts the process that Stegoloader and other types of malware use to download modules and prevents subsequent execution.

Because it is not dependent on prior knowledge of the threat, advanced malware protection and mitigation can be effective against zero-days threats as well as evasive malware that attempts to bypass existing security controls. With that, it addresses a critical gap in today’s cyber defenses, empowering organizations to better protect against advanced threats, targeted attacks and APTs.

Update: North American Healthcare is Hit the Hardest by the Stegoloader Trojan

A large number of machines infected with the evasive Stegoloader Trojan were detected at North American healthcare organizations, so says a new report from Trend Micro. According to the report, the majority of the observed infected machines during the last three months were based in the United States (66.82%). Interestingly, 42.65% of the total infected machines are from US Healthcare organizations.  The report also states that its researchers are currently looking into how cybercriminals can use this for organized attacks: “Although yet to be seen in attacks, steganography can potentially be a new technique cybercriminals looking to perform healthcare attacks can use to expose medical records in the future.”

Healthcare organizations in North America have become a popular target for hackers recently. Back in February, we learned that Anthem, the second biggest health insurer in the US, was the target of a major cyber-attack. The health insurance company said that the attack may have exposed 80 million records of both customers and employees, containing sensitive information like social security numbers, birthdates, addresses, phone numbers, email addresses and member IDs. A month later, we learned of another attack this time targeting Premera Blue Cross. According to reports, the hackers may have taken up to 11 million customer records.

It has been reported that in a private message sent last year, the FBI warned healthcare providers that their cybersecurity systems are lax compared to other sectors, making them vulnerable to attacks by hackers searching for Americans’ personal medical records and health insurance data. Some believe that healthcare data can be worth 10 times more than credit card information on the black market. According to researchers at Dell SecureWorks, cyber criminals can be paid $20 for health insurance credentials on some underground markets, compared with $1 to $2 for U.S. credit card numbers.

Stopping the Evasive Stegoloader Malware

As mentioned above, organizations can help stop the Stegoloader Trojan threat with IBM’s advanced malware protection and mitigation. This defense approach combines integrated multi-layered defenses spanning prevention, detection and response in order to break the threat lifecycle and help provide continuous protection.

Because it is not dependent on prior knowledge of the threat, advanced malware protection and mitigation can be effective against zero-days threats, as well as evasive malware that attempts to bypass existing security controls. With that it addresses a critical gap in today’s cyber-defenses, empowering organizations to better protect against advanced threats, targeted attacks and APTs.

Take a proactive response to today’s advanced persistent threats! Read the white paper to learn how


[1] The word steganography combines the Greek words steganos (στεγανός), meaning “covered, concealed or protected,” and graphein (γράφειν), meaning “writing.”

Share this Article:
Dana Tamir

Director of Enterprise Security at Trusteer, an IBM Company

Dana Tamir is Director of Enterprise Security at Trusteer, an IBM Company. In her role she leads activities related to enterprise advanced threat protection solutions. With over a decade of real-world expertise in the security Industry, she routinely delivers advanced threat and security related presentations, blogs, articles, white papers and webcasts. Prior to joining Trusteer, Dana held various roles at leading security companies including Imperva, Symantec, Bindview, and Amdocs. Dana holds an engineering degree from the Technion – Israel Institute of Technology, in addition to a number of industry and vendor certifications.