Stegoloader can hide its source code inside a plain PNG file

Jun 16, 2015 13:46 GMT  ·  By

Security researchers at Dell SecureWorks have broken down the process through which the Stegoloader malware infects and then steals information from end-user PCs.

Malware can take many forms nowadays, but even if possible, most of the times, users generally don't expect it packed within image files.

In computer science theory, this technique is called steganography and is the practice of concealing information within other data in plain sight.

Enter Stegoloader, the stealthy, multi-tasking malware

Stegoloader, also known as Win32/Gatak.DR and TSPY_GATAK.GTK, is a new kind of malware. It was first encountered in 2013 but did not attract any kind of public attention back then, mainly due to its sneaky design which permits it to go undetected by many antivirus solutions.

The malware features a simple modular design, which in its first stages of life is a basic deployment module tasked to carry out two operations: detect if the infected computer is safe for deployment, and download the main module.

This first stage of life is the main reason why it's been so hard to analyze the malware in the first place, Stegoloader going through a series of basic checks to see if the computer it's running on is a plain ol' PC or an advanced security analysis system.

Using a combination of mouse cursor activity, sniffing functions and querying the active services list for a series of predefined security products used in reverse engineering, Stegoloader can easily detect "trouble" and terminate its activity before being detected.

The main module is loaded via a PNG file

If Stegoloader's checks are clear, the deployment module then goes on to its second stage and downloads the main module. This is done by fetching a basic, every-day PNG file, usually hosted on a trusted and legitimate website.

Encoded in the image file's pixels is the source code to the main Stegoloader module itself, disguised as "the least significant bit from the color of each pixel."

This data stream is put together using a hard-coded key and an RC4 algorithm, forming the main Stegoloader loader. All these operations along with the storage of the main Stegoloader module is done using the computer's memory, not saving anything on disk this entire time, and by doing so, avoiding classic signature-based analysis tools.

At this stage, the deployment module is terminated, and the main module starts executing a series of predefined tasks, communicating with a server for further instructions.

The main module is practically the central hub of all other subsequent operations, being the one that can load other modules based on what type of data it finds on the infected system.

The malware is also capable of going to sleep for lengthy periods of time until the server, or internal routines, deem it viable to reactivate again.

Using Stegoloader, attackers have been able to steal passwords from various types of applications, install other types of malware, download browser histories, execute shellcode, get lists of recently opened files, and determine the user's geographical location.

The efficiency with which it can avoid detection in the many stages of its life make Stegoloader a very dangerous threat, and that's why the Dell SecureWorks research team have found it quite surprising how it wasn't used in any targeted attacks until now.