Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware

North American healthcare organizations appear to be getting hit the hardest by the Stegoloader Trojan making headlines recently.

North American healthcare organizations appear to be getting hit the hardest by the Stegoloader Trojan making headlines recently.

According to Trend Micro, most of the infections during the past three months occurred in the United States (66.82 percent), Chile (9.1 percent), Malaysia (3.32 percent), Norway (2.09 percent) and France (1.71 percent).

The malware, which became active a few years ago, uses steganography techniques to hide its components in .PNG files. The technique has also been used by threats such as the Neverquest Trojan. In the case of Stegoloader, the PNG image and the decrypted code are not saved to the disk, and the malware’s main module exists in a memory area allocated specifically for this purpose.

“There have been recent successful breaches exposing millions of customer files of healthcare organizations like Anthem and Premera Blue Cross,” blogged Homer Pacag, threat response engineer at Trend Micro. “Although yet to be seen in attacks, steganography can potentially be a new technique cybercriminals looking to perform healthcare attacks can use to expose medical records in the future.”

According to Trend Micro, the technique of embedding malicious code in image files to evade detection will continue to gain popularity among attackers, and the reemergence of the Trojan and its focus on certain regions and industries shows cybercriminals are continually experimenting with different uses of steganography for spreading threats.

“When we first blogged about the malware in January 2014, the TROJ_GATAK.FCK variant was bundled with key generators for various applications and FAKEAV is its final payload,” Pacag noted. “The final payload for the three recent samples of the malware, TROJ_GATAK.SMJV, TROJ_GATAK.SMN, and TROJ_GATAK.SMP are under analysis.”

“Note that the routines from variants of past years remain the same,” the researcher continued. “The malware is downloaded from the Internet by users who believe it to be key generators or keygens. Once downloaded, it poses as a legitimate file related to Skype or Google Talk. It eventually downloads the stock photo where a huge part of its routines is embedded. The following are samples of photos used by the malware to embed malicious components”

The malware also has anti-virtual machine and anti-emulation capabilities to thwart analysis.

Advertisement. Scroll to continue reading.

“Past attacks using steganography have been noted to use interesting but seemingly harmful sunset and cat photos to target online bank accounts,” Pacag blogged. “Although the technique of using photos quite old, its ability to help cybercriminals and threat actors evade detection remain a strong reason for its continuous use in the wild.” 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.