Updated July 8, 2015

The Stegoloader malware family was first identified at the end of 2013 but appears to have been active since 2012. This stealthy and opportunistic information-stealing malware uses digital steganography[1], hiding a core component of the malware within a portable network graphic (PNG) hosted on a legitimate site. As Stegoloader executes, it downloads that core component and then uses digital steganography to extract the code from the image.

What Is Stegoloader?

Stegoloader uses a few sophisticated techniques that allow it to evade detection, circumvent analysis tools and remain stealthy. For example, it has a modular design that allows the attacker to deploy different modules as necessary. The malware’s use of modules limits malware researchers’ ability to expose its capabilities and makes the investigation and reverse engineering analysis extremely difficult. As a result, it’s difficult to fully assess the attacker’s intent.

The first malware module to operate is the deployment module, which is responsible for the malware download, followed by the launch of the main module. The main module’s code is hidden inside a PNG image downloaded from a legitimate website. This module does not have persistence. Neither the PNG image it downloads nor the decrypted code is saved to disk, making the malware difficult to find via traditional signature-based antivirus solutions.

The malware will suspend the execution of its main program code if it detects any analysis or security tools running on the compromised system. Before executing, the malware checks that it is not running in an analysis environment by looking for mouse movements. If no mouse movements are observed, it is likely that it’s running in a synthetic environment, such as the ones used by malware sandbox analysis solutions. It will then stop executing. In addition, it looks for running processes of security products or tools used for reverse engineering and can terminate those. The malware also uses a known technique for the dynamic construction of code strings, which complicates detection and analysis.

How to Fight Stegoloader Malware

The Stegoloader malware is stealthy in many aspects: It evades analysis tools and deploys only necessary modules without writing them to disk. Therefore, discovery and mitigation become immensely difficult. In order to defend against this type of malware, advanced malware protection and mitigation is needed. This defensive approach combines integrated, multilayered defenses spanning the prevention, detection and response to break the threat life cycle and offer continuous protection.

Unlike signature-based antivirus solutions, this approach doesn’t require a signature of the malicious file to identify the threat. In fact, no prior knowledge of the threat is needed: There is no need to know how the threat operates, which command-and-control (C&C) servers it tries to communicate with or which components are involved. Instead, it disrupts the process that Stegoloader and other types of malware use to download modules and prevents subsequent execution.

Because it is not dependent on prior knowledge of the threat, advanced malware protection and mitigation can be effective against zero-days threats as well as evasive malware that attempts to bypass existing security controls. With that, it addresses a critical gap in today’s cyber defenses, empowering organizations to better protect against advanced threats, targeted attacks and APTs.

Update: North American Healthcare is Hit the Hardest by the Stegoloader Trojan

A large number of machines infected with the evasive Stegoloader Trojan were detected at North American healthcare organizations, so says a new report from Trend Micro. According to the report, the majority of the observed infected machines during the last three months were based in the United States (66.82%). Interestingly, 42.65% of the total infected machines are from US Healthcare organizations.  The report also states that its researchers are currently looking into how cybercriminals can use this for organized attacks: “Although yet to be seen in attacks, steganography can potentially be a new technique cybercriminals looking to perform healthcare attacks can use to expose medical records in the future.”

Healthcare organizations in North America have become a popular target for hackers recently. Back in February, we learned that Anthem, the second biggest health insurer in the US, was the target of a major cyber-attack. The health insurance company said that the attack may have exposed 80 million records of both customers and employees, containing sensitive information like social security numbers, birthdates, addresses, phone numbers, email addresses and member IDs. A month later, we learned of another attack this time targeting Premera Blue Cross. According to reports, the hackers may have taken up to 11 million customer records.

It has been reported that in a private message sent last year, the FBI warned healthcare providers that their cybersecurity systems are lax compared to other sectors, making them vulnerable to attacks by hackers searching for Americans’ personal medical records and health insurance data. Some believe that healthcare data can be worth 10 times more than credit card information on the black market. According to researchers at Dell SecureWorks, cyber criminals can be paid $20 for health insurance credentials on some underground markets, compared with $1 to $2 for U.S. credit card numbers.

Stopping the Evasive Stegoloader Malware

As mentioned above, organizations can help stop the Stegoloader Trojan threat with IBM’s advanced malware protection and mitigation. This defense approach combines integrated multi-layered defenses spanning prevention, detection and response in order to break the threat lifecycle and help provide continuous protection.

Because it is not dependent on prior knowledge of the threat, advanced malware protection and mitigation can be effective against zero-days threats, as well as evasive malware that attempts to bypass existing security controls. With that it addresses a critical gap in today’s cyber-defenses, empowering organizations to better protect against advanced threats, targeted attacks and APTs.

Take a proactive response to today’s advanced persistent threats! Read the white paper to learn how

[1] The word steganography combines the Greek words steganos (στεγανός), meaning “covered, concealed or protected,” and graphein (γράφειν), meaning “writing.”

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…