![]() The main module’s communication with its C&C server is encrypted. “Neither the PNG image nor the decrypted code is saved to disk, making the malware difficult to find via traditional disk-based signature analysis.” The extracted data stream is decrypted using the RC4 algorithm and a hard-coded key,” the researchers explained. “After downloading the image, Stegoloader uses the gdiplus library to decompress the image, access each pixel, and extract the least significant bit from the color of each pixel. ![]() Only if it doesn’t find any of them it downloads the main module, which is hidden in a generic PNG image located on a legitimate hosting website. ![]() In order to do that, it lists the running processes on the system and looks for a number of popular security products or reverse-engineering tools: The malware’s deployment module downloads and launches the main module, but not before attempting to make sure it does not find itself in an environment that’s used by malware analysts. This limited exposure makes it difficult to fully assess the threat actors’ intent,” they explained. “Stegoloader’s modular design allows its operator to deploy modules as necessary, limiting the exposure of the malware capabilities during investigations and reverse engineering analysis. Stegoloader’s main reason of being is to steal information from users, but it has a modular design, and the researchers themselves say that they might not have yet seen and analyzed all of its modules. Also, that it has affected multiple verticals, including healthcare, education, and manufacturing. The researchers didn’t share how the initial deployment module of the malware arrives on victims’ computers this time around, but noted that it has not been observed being used with exploits or spearphishing, or in other targeted attacks. Previous versions of the malware have been spotted in 20, bundled with tools used to crack or generate software keys. Stegoloader, as they dubbed it, is not technically new. “The Dell SecureWorks CTU research team has recently analyzed a piece of malware that uses digital steganography to hide part of its malicious code.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |