Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware

North American healthcare organizations appear to be getting hit the hardest by the Stegoloader Trojan making headlines recently.

North American healthcare organizations appear to be getting hit the hardest by the Stegoloader Trojan making headlines recently.

According to Trend Micro, most of the infections during the past three months occurred in the United States (66.82 percent), Chile (9.1 percent), Malaysia (3.32 percent), Norway (2.09 percent) and France (1.71 percent).

The malware, which became active a few years ago, uses steganography techniques to hide its components in .PNG files. The technique has also been used by threats such as the Neverquest Trojan. In the case of Stegoloader, the PNG image and the decrypted code are not saved to the disk, and the malware’s main module exists in a memory area allocated specifically for this purpose.

“There have been recent successful breaches exposing millions of customer files of healthcare organizations like Anthem and Premera Blue Cross,” blogged Homer Pacag, threat response engineer at Trend Micro. “Although yet to be seen in attacks, steganography can potentially be a new technique cybercriminals looking to perform healthcare attacks can use to expose medical records in the future.”

According to Trend Micro, the technique of embedding malicious code in image files to evade detection will continue to gain popularity among attackers, and the reemergence of the Trojan and its focus on certain regions and industries shows cybercriminals are continually experimenting with different uses of steganography for spreading threats.

“When we first blogged about the malware in January 2014, the TROJ_GATAK.FCK variant was bundled with key generators for various applications and FAKEAV is its final payload,” Pacag noted. “The final payload for the three recent samples of the malware, TROJ_GATAK.SMJV, TROJ_GATAK.SMN, and TROJ_GATAK.SMP are under analysis.”

“Note that the routines from variants of past years remain the same,” the researcher continued. “The malware is downloaded from the Internet by users who believe it to be key generators or keygens. Once downloaded, it poses as a legitimate file related to Skype or Google Talk. It eventually downloads the stock photo where a huge part of its routines is embedded. The following are samples of photos used by the malware to embed malicious components”

The malware also has anti-virtual machine and anti-emulation capabilities to thwart analysis.

“Past attacks using steganography have been noted to use interesting but seemingly harmful sunset and cat photos to target online bank accounts,” Pacag blogged. “Although the technique of using photos quite old, its ability to help cybercriminals and threat actors evade detection remain a strong reason for its continuous use in the wild.” 

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.