Researchers at Dell SecureWorks have analyzed Stegoloader, a stealthy piece of malware designed to steal information from infected systems.
Stegoloader, detected as Win32/Gatak.DR by Microsoft and TSPY_GATAK.GTK by Trend Micro, has been around since at least late 2013. The malware’s modular design allows cybercriminals to carry out various tasks while making it difficult for researchers to analyze the threat.
According to experts in the Dell SecureWorks Counter Threat Unit, Stegoloader attacks start with a deployment module that’s responsible for downloading and launching the malware’s main module on infected systems.
Before downloading the main component, the deployment module checks for the presence of an analysis environment by monitoring mouse movements. If the mouse cursor doesn’t change its position, or if it changes its position constantly, the malicious application is terminated.
The deployment module also lists running processes to see if popular analysis and security tools such as Wireshark, Fiddler, Sandboxie, InCtrl5, and OllyDBG are running. If a process associated with one of the targeted tools is detected, the malware is terminated.
A method used by the malware authors to slow down static analysis involves the dynamic construction of strings in the binary. This makes detection and analysis more difficult compared to malware that stores strings inside its body in clear text.
Once it ensures that it’s not being analyzed, the deployment module accesses a hardcoded URL to download a Portable Network Graphics (PNG) image file hosted on a legitimate website. This harmless-looking image file contains the main Stegoloader module.
“After downloading the image, Stegoloader uses the gdiplus library to decompress the image, access each pixel, and extract the least significant bit from the color of each pixel. The extracted data stream is decrypted using the RC4 algorithm and a hard-coded key,” researchers explained in a blog post.
Hiding malware in images is not unheard of. The technique, known as digital steganography, has also been used by threats such as the Lurk downloader and the Neverquest Trojan.
Stegoloader is difficult to detect using traditional signature-based analysis because the PNG image and the decrypted code are not saved to the disk. The malware’s main module resides in a memory area specially allocated for this purpose.
Once the main module steps into play, the deployment module is terminated. The malware then starts communicating with its command and control (C&C) server and waits for instructions from the cybercriminals. Communications between Stegoloader and its C&C server are encrypted, researchers noted.
The operators can instruct the malware to collect information such as system details, a list of applications installed on the infected system, and browser history from Chrome, Firefox and Internet Explorer. Stegoloader can also be ordered to sleep, stop execution, and execute shellcode.
If the information collected by the malware matches certain criteria, the cybercrooks can deploy additional modules that allow them to carry out various tasks. For example, they can install a module that enables them to steal Interactive Disassembler (IDA) instances, a module that lists recently opened documents, and one that determines the host’s geographic location.
Stegoloader operators can also deploy a Pony module. This module, which uses the Pony Loader information-stealing malware, allows attackers to harvest passwords from various applications.
In some cases, cybercriminals have been spotted installing Vundo malware (Ponmocup), which displays ads and installs additional threats, on systems infected with Stegoloader. Experts believe Vundo is utilized for additional monetary profit.
According to Dell SecureWorks, Stegoloader has infected devices in healthcare, education, manufacturing and other sectors. Despite having highly efficient information-stealing capabilities, the malware has not been spotted by researchers in targeted attacks.
