Making a resurgence among malware writers is steganography, which means to hide in plain sight, according to
Dell Security’s Cyber Threats Unit.
The Stegoloader malware family, also known as Win32/Gatak.DR (Microsoft) and TSPY_GATAK.GTK (Trend Micro), appears to target healthcare, education, and manufacturing, and it does so with a seemingly innocent Portable Network Graphics (PNG) picture of the Earth in space.
Steganography, which combines the Greek words for “covered, concealed, or protected” with “writing,” was first coined around 1499 in a book, Steganographia, by Johannes Trithemius.
While the book was supposed be on magic it was actually about cryptography and steganography. Other examples include using the first letter of each printed line to spell out an alternative message.
For digital steganography, the secret message is embedded within the code of a document or image. In some cases the addition of a message will bloat the file so that it stands out as being changed or different.
However, newer techniques appear to address that concern.
For example, a malware creator might take a cute picture of a kitten and alter the color code of every 50th pixel to produce a desired alphanumeric, or alter the least significant byte to correspond to an alphanumeric.
The result would have a nominal increase in file side and be so subtle that analysis would be needed to identify the exact alterations.
Stegnoloader hides its main module’s code inside a PNG image. This is not exactly new. A variant of the Zeus banking Trojan used sunset pictures.
Another malware family hid malicious content inside an Android icon image, dnd the terrorist group Al Qaeda is known to have a
used steganography in videos to communicate with its followers.
One advantage to using steganography is that most antivirus products do not actively scan image files for malware. According to Dell, another way Stegoloader attempts to avoid detection is the strings found in the binary are constructed in the program stack before being used.
However, Stegoloader will not execute if it finds there is active analysis or security tools installed on the infected system.
After downloading a PNG image from a URL hardcoded into the file, Stegoloader decompresses the image, accesses each pixel, and extracts the least significant bit from each color of each pixel.
Neither the PNG image nor the decoded messages are stored on the infected system’s hard drive in an attempt to be evasive.
The Stegoloader family is known to be distributed through a software piracy site. The malicious code includes modules that gather geographic location data, victims’ browsing history, passwords, and lists of recently opened documents.
At the moment Stegoloader appears to be only gathering intelligence.
Steganography has been used in operating botnets in recent years. The
TDSS botnet used JPG images hosted on popular blogging sites for its Command & Control (C&C) communication, and ShadyRAT was also able to decrypt and decode C&C commands hidden within JPG files.
“It is my intuition that they might be selling compromised hosts to others,” Pierre-Marc Bureau, CTU senior security researcher, told SCMagazine.
“But they do not appear to be trying to build a big botnet. They are not trying to accumulate thousands upon thousands of infected hosts. I really think they are trying to find interesting networks [or] hosts.”
It should be noted that steganography does not always use pictures. The
Morto Trojan, for example, actually hides its C&C traffic within simple DNS requests. Morto requests a non-existent domain from a hard-coded DNS server which is the actual C&C server.
The commands are embedded and obfuscated by a simple Base64 encoding within the DNS response. However, the DNS response is much larger than it needs to be and would therefore be suspicious on its own.
