Dell SecureWorks has discovered what researchers say could represent an emerging trend in malware: the use of digital steganography -- the "art of inconspicuously hiding data within data" -- to hide malicious code.
The Stegoloader malware family first surfaced in 2013 but it didn’t make much noise back then. Fast forward two years and there are multiple variants of the malware that Dell said “stealthily steals” information from victim machines.
“Stegoloader's modular design allows its operator to deploy modules as necessary, limiting the exposure of the malware capabilities during investigations and reverse engineering analysis,” Dell said in an alert. “This limited exposure makes it difficult to fully assess the threat actors' intent. The modules analyzed by CTU [Counter Threat Unit] researchers list recently accessed documents, enumerate installed programs, list recently visited Web sites, steal passwords, and steal installation files for the IDA tool.”
You Get What You Don’t Pay For
We asked Kowsik Guruswamy, CTO for cyberthreat protection firm Menlo Security, for his thoughts on the dangerous new malware strain. He told us with the recent discovery of Stegoloader, he sees several weaknesses in conventional detection-based malware prevention exposed.
“First, note that the initial phase of the attack starts with the Stegoloader deployment module being installed on the user's machine,” he noted. “So far, the only reported initial infection vector is when users unwittingly download Stegoloader from sites hosting ‘software piracy tools.’ Well, we hate to say ‘it serves you right’ but hey, you get what you don't pay for.”
After it's installed on the target machine, the Stegoloader deployment module fetches the PNG image that contains the next phase of the attack. The PNG is hosted on a legitimate site that wouldn't be blocked by a Web security gateway, Guruswamy said.
Menlo’s State of the Web 2015: Vulnerability Report revealed 20 percent of Web sites run software with known vulnerabilities, including so-called legitimate sites. These sites are easily compromised and used to host payloads like the malicious Stegoloader PNG image. Guruswamy said it's easy for the Stegoloader PNG payload to pass right through Web security gateways.
Is Isolation the Only Approach?
How about detection of the malware in the PNG by network sandboxes? The malware looks for signs that it's being evaluated in a sandbox and simply lays dormant until the sandbox issues a green light and passes the payload through, Guruswamy said.
“There's nothing at all surprising about the Stegoloader attack. It's a simple matter of evolution: malware will continuously evolve to avoid detection, and the newest attacks will always find a way to thwart any method of detection,” Guruswamy said. “We believe that a new approach to security -- isolation -- is the only approach that can consistently eliminate malware. The point is to forget about trying to detect malware, because in the long run we'll always be fooled.”
Dell’s conclusion: Stegoloader is stealthy in many aspects. It evades analysis tools and deploys only necessary modules, without writing them to disk. There are likely more Stegoloader modules than CTU researchers have observed, possibly used by threat actors to ensure persistence or to gain access to additional resources, the firm said.
“Although CTU researchers have not observed Stegoloader being used in targeted attacks, it has significant information stealing capabilities,” Dell said. “Stegoloader is the third malware family that CTU researchers have observed using digital steganography. This technique might be a new trend because malware authors need to adapt to improved detection mechanisms.”