Cybercriminals use steganography to make sure the original file is not damaged

Feb 18, 2014 12:38 GMT  ·  By

Security researchers have analyzed a new version of the notorious ZeuS banking Trojan. The new variant, ZeusVM, is designed to retrieve its configuration file from an image.

Experts from Malwarebytes and French security researcher Xylitol have noticed that alongside other components, the malware is retrieving a JPG image from a server.

A closer analysis of the file revealed that it was an image copied from the web, but with some additional code appended to it. By using steganography, the cybercriminals have added the malware configuration data to the image without damaging it.

After decrypting the appended data, experts found a list of financial institutions targeted by ZeusVM.

The fact that the configuration file is disguised as an image has a number of advantages, including the fact that the malicious code can bypass security systems. Furthermore, a webmaster whose server is used to host the file would probably not suspect that the image is actually part of a cybercriminal operation.

Additional technical details are available on Malwarebytes’ blog.