North American healthcare organizations appear to be getting hit the hardest by the Stegoloader Trojan making headlines recently.
According to Trend Micro, most of the infections during the past three months occurred in the United States (66.82 percent), Chile (9.1 percent), Malaysia (3.32 percent), Norway (2.09 percent) and France (1.71 percent).
The malware, which became active a few years ago, uses steganography techniques to hide its components in .PNG files. The technique has also been used by threats such as the Neverquest Trojan. In the case of Stegoloader, the PNG image and the decrypted code are not saved to the disk, and the malware’s main module exists in a memory area allocated specifically for this purpose.
“There have been recent successful breaches exposing millions of customer files of healthcare organizations like Anthem and Premera Blue Cross,” blogged Homer Pacag, threat response engineer at Trend Micro. “Although yet to be seen in attacks, steganography can potentially be a new technique cybercriminals looking to perform healthcare attacks can use to expose medical records in the future.”
According to Trend Micro, the technique of embedding malicious code in image files to evade detection will continue to gain popularity among attackers, and the reemergence of the Trojan and its focus on certain regions and industries shows cybercriminals are continually experimenting with different uses of steganography for spreading threats.
“When we first blogged about the malware in January 2014, the TROJ_GATAK.FCK variant was bundled with key generators for various applications and FAKEAV is its final payload,” Pacag noted. “The final payload for the three recent samples of the malware, TROJ_GATAK.SMJV, TROJ_GATAK.SMN, and TROJ_GATAK.SMP are under analysis.”
“Note that the routines from variants of past years remain the same,” the researcher continued. “The malware is downloaded from the Internet by users who believe it to be key generators or keygens. Once downloaded, it poses as a legitimate file related to Skype or Google Talk. It eventually downloads the stock photo where a huge part of its routines is embedded. The following are samples of photos used by the malware to embed malicious components”
The malware also has anti-virtual machine and anti-emulation capabilities to thwart analysis.
“Past attacks using steganography have been noted to use interesting but seemingly harmful sunset and cat photos to target online bank accounts,” Pacag blogged. “Although the technique of using photos quite old, its ability to help cybercriminals and threat actors evade detection remain a strong reason for its continuous use in the wild.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
