June 22, 2015 By Dana Tamir 4 min read

Updated July 8, 2015

The Stegoloader malware family was first identified at the end of 2013 but appears to have been active since 2012. This stealthy and opportunistic information-stealing malware uses digital steganography[1], hiding a core component of the malware within a portable network graphic (PNG) hosted on a legitimate site. As Stegoloader executes, it downloads that core component and then uses digital steganography to extract the code from the image.

What Is Stegoloader?

Stegoloader uses a few sophisticated techniques that allow it to evade detection, circumvent analysis tools and remain stealthy. For example, it has a modular design that allows the attacker to deploy different modules as necessary. The malware’s use of modules limits malware researchers’ ability to expose its capabilities and makes the investigation and reverse engineering analysis extremely difficult. As a result, it’s difficult to fully assess the attacker’s intent.

The first malware module to operate is the deployment module, which is responsible for the malware download, followed by the launch of the main module. The main module’s code is hidden inside a PNG image downloaded from a legitimate website. This module does not have persistence. Neither the PNG image it downloads nor the decrypted code is saved to disk, making the malware difficult to find via traditional signature-based antivirus solutions.

The malware will suspend the execution of its main program code if it detects any analysis or security tools running on the compromised system. Before executing, the malware checks that it is not running in an analysis environment by looking for mouse movements. If no mouse movements are observed, it is likely that it’s running in a synthetic environment, such as the ones used by malware sandbox analysis solutions. It will then stop executing. In addition, it looks for running processes of security products or tools used for reverse engineering and can terminate those. The malware also uses a known technique for the dynamic construction of code strings, which complicates detection and analysis.

How to Fight Stegoloader Malware

The Stegoloader malware is stealthy in many aspects: It evades analysis tools and deploys only necessary modules without writing them to disk. Therefore, discovery and mitigation become immensely difficult. In order to defend against this type of malware, advanced malware protection and mitigation is needed. This defensive approach combines integrated, multilayered defenses spanning the prevention, detection and response to break the threat life cycle and offer continuous protection.

Unlike signature-based antivirus solutions, this approach doesn’t require a signature of the malicious file to identify the threat. In fact, no prior knowledge of the threat is needed: There is no need to know how the threat operates, which command-and-control (C&C) servers it tries to communicate with or which components are involved. Instead, it disrupts the process that Stegoloader and other types of malware use to download modules and prevents subsequent execution.

Because it is not dependent on prior knowledge of the threat, advanced malware protection and mitigation can be effective against zero-days threats as well as evasive malware that attempts to bypass existing security controls. With that, it addresses a critical gap in today’s cyber defenses, empowering organizations to better protect against advanced threats, targeted attacks and APTs.

Update: North American Healthcare is Hit the Hardest by the Stegoloader Trojan

A large number of machines infected with the evasive Stegoloader Trojan were detected at North American healthcare organizations, so says a new report from Trend Micro. According to the report, the majority of the observed infected machines during the last three months were based in the United States (66.82%). Interestingly, 42.65% of the total infected machines are from US Healthcare organizations.  The report also states that its researchers are currently looking into how cybercriminals can use this for organized attacks: “Although yet to be seen in attacks, steganography can potentially be a new technique cybercriminals looking to perform healthcare attacks can use to expose medical records in the future.”

Healthcare organizations in North America have become a popular target for hackers recently. Back in February, we learned that Anthem, the second biggest health insurer in the US, was the target of a major cyber-attack. The health insurance company said that the attack may have exposed 80 million records of both customers and employees, containing sensitive information like social security numbers, birthdates, addresses, phone numbers, email addresses and member IDs. A month later, we learned of another attack this time targeting Premera Blue Cross. According to reports, the hackers may have taken up to 11 million customer records.

It has been reported that in a private message sent last year, the FBI warned healthcare providers that their cybersecurity systems are lax compared to other sectors, making them vulnerable to attacks by hackers searching for Americans’ personal medical records and health insurance data. Some believe that healthcare data can be worth 10 times more than credit card information on the black market. According to researchers at Dell SecureWorks, cyber criminals can be paid $20 for health insurance credentials on some underground markets, compared with $1 to $2 for U.S. credit card numbers.

Stopping the Evasive Stegoloader Malware

As mentioned above, organizations can help stop the Stegoloader Trojan threat with IBM’s advanced malware protection and mitigation. This defense approach combines integrated multi-layered defenses spanning prevention, detection and response in order to break the threat lifecycle and help provide continuous protection.

Because it is not dependent on prior knowledge of the threat, advanced malware protection and mitigation can be effective against zero-days threats, as well as evasive malware that attempts to bypass existing security controls. With that it addresses a critical gap in today’s cyber-defenses, empowering organizations to better protect against advanced threats, targeted attacks and APTs.

Take a proactive response to today’s advanced persistent threats! Read the white paper to learn how


[1] The word steganography combines the Greek words steganos (στεγανός), meaning “covered, concealed or protected,” and graphein (γράφειν), meaning “writing.”

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-ranking banking trojan Ramnit out to steal payment card data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today