14 DAY TRIAL // Cybercriminals operating Lurk malware dropper are currently hiding malicious data inside images, leveraging what is called steganography, a stealth technique that in digital world allows embedding data in image, video or audio files.
The malware relies on an algorithm designed to lace pictures with links pointing to the command and control server, in encrypted form. The images are not distorted in any way, and only code analysis could detect that it carries additional elements with it.
Lurk is composed of two items, one is a payload DLL while the other is the dropper DLL, which is responsible for extracting and executing the payload.
Security researcher Brett Stone-Gross from SecureWorks Counter Threat Unit (CTU), says that the malware is distributed via images. At a closer inspection, these appear to have some “seemingly random noise,” which is actually the malware code extracted after some Windows graphics API functions are called.
From the analysis performed by the researcher, it is clear that after executing the payload DLL, the infected system is automatically scanned for the presence of certain antivirus products. The presence of some of them prevents the malware from installing on the system.
The first information about Lurk’s distribution was posted back in February, by French security researcher Kafeine, when he observed that the malicious code spread via an HTL iFrame on a compromised website; it loaded a Flash exploit (CVE-2013-5330).
Anyone visiting the website with a vulnerable version of Flash Player would be served a DLL file executing the malware piece.
Although Lurk can deliver any type of malware (banking Trojans, ransomware, etc.), in the CTU assessment showed that the crooks behind the currently analyzed sample were using it for a click-fraud operation.
As soon as the encrypted links embedded in the images are decoded, the infected computer receives a click-fraud template in JSON format. The data contains instructions for running the fraudulent scheme and loads a set of iFrames with spoofed referrers.
According to Stone-Gross, the crooks effort to find a method for improving resistance of the malicious files to detection may pay off.
“The Lurk downloader demonstrates the power and versatility of this technique and how it can be used to evade network detection and manual scrutiny by malware researchers. Steganography can make it exceedingly difficult to detect the presence of hidden information such as a configuration file, binary update, or bot command, especially in digital files,” concluded the researcher.