Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware

North American healthcare organizations appear to be getting hit the hardest by the Stegoloader Trojan making headlines recently.

North American healthcare organizations appear to be getting hit the hardest by the Stegoloader Trojan making headlines recently.

According to Trend Micro, most of the infections during the past three months occurred in the United States (66.82 percent), Chile (9.1 percent), Malaysia (3.32 percent), Norway (2.09 percent) and France (1.71 percent).

The malware, which became active a few years ago, uses steganography techniques to hide its components in .PNG files. The technique has also been used by threats such as the Neverquest Trojan. In the case of Stegoloader, the PNG image and the decrypted code are not saved to the disk, and the malware’s main module exists in a memory area allocated specifically for this purpose.

“There have been recent successful breaches exposing millions of customer files of healthcare organizations like Anthem and Premera Blue Cross,” blogged Homer Pacag, threat response engineer at Trend Micro. “Although yet to be seen in attacks, steganography can potentially be a new technique cybercriminals looking to perform healthcare attacks can use to expose medical records in the future.”

According to Trend Micro, the technique of embedding malicious code in image files to evade detection will continue to gain popularity among attackers, and the reemergence of the Trojan and its focus on certain regions and industries shows cybercriminals are continually experimenting with different uses of steganography for spreading threats.

“When we first blogged about the malware in January 2014, the TROJ_GATAK.FCK variant was bundled with key generators for various applications and FAKEAV is its final payload,” Pacag noted. “The final payload for the three recent samples of the malware, TROJ_GATAK.SMJV, TROJ_GATAK.SMN, and TROJ_GATAK.SMP are under analysis.”

“Note that the routines from variants of past years remain the same,” the researcher continued. “The malware is downloaded from the Internet by users who believe it to be key generators or keygens. Once downloaded, it poses as a legitimate file related to Skype or Google Talk. It eventually downloads the stock photo where a huge part of its routines is embedded. The following are samples of photos used by the malware to embed malicious components”

The malware also has anti-virtual machine and anti-emulation capabilities to thwart analysis.

Advertisement. Scroll to continue reading.

“Past attacks using steganography have been noted to use interesting but seemingly harmful sunset and cat photos to target online bank accounts,” Pacag blogged. “Although the technique of using photos quite old, its ability to help cybercriminals and threat actors evade detection remain a strong reason for its continuous use in the wild.” 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.