The Dell SecureWorks CTU research team has lately analyzed a piece of malware and identified the renovation of Stegoloader that uses digital steganography to hide its main module’s code. This concealed part of the code is hidden inside a Portable Network Graphics (PNG) image that could be downloaded from a legitimate website.
Stegoloader in Progress
This malware also known as Win32/Gatak.DR and TSPY_GATAK.GTK is a new kind of malware. Actually, Stegoloader is not technically new on the stage of the malware world but it just has its renewed version. It is from the malware family of Trojan horses and has been active since at least 2013 and yet is relatively unknown.Recently, renovated infections have been detected through PC users and contaminations are almost imperceptible as no one expect to get infected with just visiting a web page.
The Deployment of Stegoloader Implemented via PNG File
It is disseminated through software piracy websites, with a pack of software license key generators. Stegoloader main module uses digital steganography to hide part of its code inside a Portable Network Graphics (PNG) image presented on a legitimate website, as mentioned. This malicious type of Trojan deploys by downloading this image each time it runs and uses steganography to extract its code from the image. The malware is never saved to the hard disk and is completed directly by memory, which makes detection difficult.
→“After downloading the image, Stegoloader uses the gdiplus library to decompress the image, access each pixel, and extract the least significant bit of the color of each pixel. The extracted data stream is decrypted using the RC4 algorithm and a hard-coded key.” Dell SecureWorks CTU research team explained in a blog post.
The Technique Is Simple and Consists of Two Stages
- The first stage is determining if the computer is safe for deployment. Stegoloader is checking for the type of security analysis system and its strength. This analysis goes with a frequent change of the mouse’s position but it’s not necessary as it could not change its position and in this case malware terminates without exhibiting any malicious activity.
- The second stage is downloading the main deployment mode. If the result of Stegoloader is clear, then it downloads and runs out main mode. This happens by fetching a basic, every-day PNG file, frequently hosted on a trusted and legitimate website.
Furthermore, some of Stegoloader’s features are deployed only on compromised systems depending on the interest of the malware operator. Its modular design allows its operator to implement modules when necessary.That limits the exposure of the malware capabilities during investigations and reverses engineering analysis. This limited exposure makes it harder to assess the threat actors’ intent fully. The modules analyzed by CTU researchers list mostly accessed documents, recently visited web sites, enumerate installed programs, stolen passwords, and taken installation files for the IDA tool.