14 DAY TRIAL // Healthcare organizations in the US represent most of the victims made by Stegoloader Trojan, a piece of malware that embeds its code inside PNG image files in an attempt to evade network and host-level detection mechanisms.
The largest number of infections seen by security researchers are located in North America, affecting entities across various sectors, including financial, manufacturing, oil and gas, and technology.
Malware was nurtured since at least 2013
Stegoloader was reported recently by Dell SecureWorks and it is also known as Gatak (no relation to the Gataka banking malware). Its architecture is modular, which means that functionality can be expanded and employed as needed by the threat actor.
The threat was first spotted in late 2013 but generated little attention. Since then, multiple variants emerged, all designed to steal information from infected systems.
The technique adopted by the Trojan’s authors is called steganography, and it has been employed by malware before, to update configuration files and even for malware delivery. But even if the method is not new, it is not widespread, either.
Fileless malware spread to healthcare organizations
Another tactic used by the author to avoid detection is executing all malicious modules in the computer memory. The PNG image or the code extracted from it and decrypted are not saved to disk, leaving no trace of infection on the storage unit and preventing detection via disk-based signature analysis.
Following Dell’s report, Trend Micro pulled out its telemetry data from its sensor network and found that 42.65% of the Stegoloader victims were from the healthcare sector, followed by organizations in the financial industry, with 12.81%.
Homer Pacag, Threat Response Engineer at Trend Micro, believes that steganography may be used creatively in the future by cybercriminals exploring new ways to attack healthcare entities and exfiltrate medical data.
