Skip to Main ContentSkip to Footer
$(CTUBlog)

Stegoloader Malware: A Wolf in Sheep's Clothing

Its Path to Infiltrating Systems and Extracting Data

Stegoloader Malware: A Wolf in Sheep's Clothing
June 15, 2015

Dell SecureWorks Counter Threat Unit™ (CTU™) researchers analyzed a stealthy malware family named Stegoloader that has been active since at least 2013 and yet is relatively unknown.

It has been distributed through software piracy websites, bundled with software license key generators (see Figure 1).

Figure 1. Key generator that installs Stegoloader. (Source: Dell SecureWorks)

Figure 1. Key generator that installs Stegoloader. (Source: Dell SecureWorks)

Stegoloader’s core component is hidden in a Portable Network Graphic (PNG) image hosted on a legitimate website. The malware downloads this image each time it runs and uses steganography to extract its code from the image. The malware is never saved to the hard disk and is executed directly from memory, which makes detection difficult.

Furthermore, some of Stegoloader’s features are deployed only on compromised systems of interest to the malware operator. Various modules provide additional functionality:

  • Geographic localization module — Obtains the compromised system’s public IP address.
  • History module — Sends a list of recently opened documents to the malware operators.
  • Password stealing module — Collects and sends credentials for most popular applications.
  • IDA stealing module — Locates and steals data associated with the IDA reverse engineering tool. This module, which is deployed only to compromised systems that have IDA installed, steals installation files and registration keys, and uploads them to a file-hosting website.

Stegoloader continues a trend of malware using steganography to evade host-based and network-based detection. This behavior was previously observed in the Lurk and Neverquest malware families. Stegoloader also incorporates the trend of opportunistically deploying functionality. Modules to extract specific information are used as needed, making forensic analysis challenging.

Figure 2 shows Stegoloader’s process. CTU researchers have also published a full analysis of the malware on the Dell SecureWorks website.

Figure 2. Stegoloader process. (Source: Dell SecureWorks)

Figure 2. Stegoloader process. (Source: Dell SecureWorks)

ABOUT THE AUTHOR
COUNTER THREAT UNIT RESEARCH TEAM
Secureworks Counter Threat Unit™ (CTU) researchers frequently serve as expert resources for the media, publish technical analyses for the security community, and speak about emerging threats at security conferences. Leveraging Secureworks’ advanced security technologies and a network of industry contacts, the CTU™ research team tracks threat actors and analyzes anomalous activity, uncovering new attack techniques and threats. This process enables CTU researchers to identify threats as they emerge and develop countermeasures that protect customers before damage can occur.
Revenir aux blogs

GET THE LATEST SECURITY UPDATES

Thank you for your submission.

ESSAYEZ TAEGIS DÈS AUJOURD'HUI !

Voyez par vous-même : Demandez votre démo pour voir comment Taegis peut réduire les risques, optimiser les investissements de sécurité existants et pallier la pénurie de talents.