Malware writers aren’t hesitant to do what it takes to protect a campaign and keep it hidden from detection technologies and security researchers.
The group behind the Stegoloader malware, disclosed Monday by researchers at Dell SecureWorks, has taken to digital steganography to keep its information-stealing code from being seen. Once having compromised a user’s machine, the deployment module grabs a PNG file that contains the malware from a legitimate hosting site.
Steganography is used to hide information inside another message or image. Malware authors use this to hide executable code inside an image file, and in this case, is extracted and run only after a number of other safety checks are passed. It has been used by several other malware families, including in some targeted attacks carried out by the Miniduke APT group, the Aulreon rootkit, and the Lurk downloader, exposed by Dell SecureWorks last year.
Despite its information-stealing capability, Dell researchers said they have not seen the malware used in targeted attacks, but they don’t dismiss the possibility outright. So far, Dell said it has seen victims in the health care, education, and manufacturing industries, yet it has not been spread via exploits or spearphishing emails. Instead, Dell researchers believe victims are being compromised by downloading pirated software from third-party sites, the same propagation strategy used with older versions of the malware.
“The only infection vector I can confirm is through software piracy tools. I suspect once the attacker gains a foothold on an interesting network, they can deploy additional modules to spread further but I have not been able to find such module,” said senior security researcher Pierre-Marc Bureau.
The malware primarily is used to steal system information and load additional modules that access recently opened documents, list installed programs, steal browser history and installation files for the IDA development and analysis platform, and drop the Pony password stealing malware.
“Before deploying other modules, the malware checks that it is not running in an analysis environment. For example, the deployment module monitors mouse cursor movements by making multiple calls to the GetCursorPos function. If the mouse always changes position, or if it does not change position, the malware terminates without exhibiting any malicious activity,” Dell said in its report.
“In another effort to slow down static analysis, most of the strings found in the binary are constructed on the program stack before being used,” the report said. “This standard malware technique ensures that strings are not stored in clear text inside the malware body but rather are constructed dynamically, complicating detection and analysis.”
The deployment module lists running processes and if one of two dozen hard coded strings for various security tools such as Wireshark, Fiddler and others, are present, it will not execute. Otherwise, it connects to a command and control server, encrypts communication, and downloads the PNG file containing the malware.
“The extracted data stream is decrypted using the RC4 algorithm and a hard-coded key. Neither the PNG image nor the decrypted code is saved to disk, making the malware difficult to find via traditional disk-based signature analysis,” the report said. “The image’s URL and the RC4 key vary in the samples analyzed by CTU researchers.”
Once the main module takes over—Dell said it lives in memory—it can accept a number of commands from the command and control infrastructure if the compromised machine matches certain criteria making it attractive enough of a target. Those commands include kill and stop commands, sending of system information and browser history for Firefox, Chrome and Internet Explorer, and execution of shell code.
Older versions of Stegoloader were bundled with pirated software, for example, Dell said, and installed among other malware, Vundo, a family that installs pop-up advertising, scareware, and ransomware.