New Malware Found Hiding Inside Image Files

Dell SecureWorks CTU researchers say Stegoloader is third example in a year of malware using digital steganography as a detection countermeasure.

Researchers with Dell SecureWorks Counter Threat Unit (CTU) this week
detailed the kind of Spy-vs.-Spy countermeasures malware authors come up with
to evade detection in a new report on a little-known malware family it calls Stegoloader. Targeting organizations in healthcare, education, and manufacturing, Stegoloader uses digital steganography to hide malicious code inside a PNG image file downloaded from a legitimate website.
A longtime spycraft technique, digital steganography is a method of concealing secret information within seemingly non-descript, non-secret files. Malware authors may be taking a shine to it because it is a relatively simple but effective way to circumvent tools like intrusion detection and prevention systems. Last year,
CTU researchers unveiled at BlackHat evidence that the Lurk downloader was one of the first families of malware to use true digital steganography as a countermeasure
.
At the end of 2014, CTU researchers also observed the Neverquest version of the Gozi trojan using this technology to hide information on its backup command and control (C2) server, CTU researchers wrote.
Now with the discovery of Stegoloader, theyre wondering if this may be the early signs of a trend toward digital steganography as a malware countermeasure.
Stegoloader is the third malware family that CTU researchers have observed using digital steganography, the researchers said. This technique might be a new trend because malware authors need to adapt to improved detection mechanisms.
Of course, the use of steganography is just one of the techniques used by this malware to evade detection. Stegoloaders authors wrote it with a modular design.
Stegoloaders modular design allows its operator to deploy modules as necessary, limiting the exposure of the malware capabilities during investigations and reverse engineering analysis, the researchers wrote. This limited exposure makes it difficult to fully assess the threat actors intent.
Some of the modules used are a geographic localization module to gather information on the compromised systems IP address, browsing history module, password-stealing module, and even a module designed to steal instances of IDA software used by malware analysts and reverse engineers to analyze malicious software if Stegoloader detects it on the compromised system. Additionally, the main module of the malware is not persistent, and before deploying other modules, it performs checks for indication that it is running in an analysis environment.
For example, the deployment module monitors mouse cursor movements by making multiple calls to the GetCursorPos function, the report said. If the mouse always changes position, or if it does not change position, the malware terminates without exhibiting any malicious activity.
As of now, the malware looks to be an opportunistic information-stealer and hasnt been observed using exploits or spearphishing, so the researchers say its more likely a mass-market commodity malware family than one used in targeted attacks.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New Malware Found Hiding Inside Image Files