It is just natural for a malware to be hidden somewhere so that it becomes tricky and hard for would-be victims to fail to notice it. And nowhere is it more difficult to detect a malware than in images you think are safe but actually contain malicious codes.
Security researchers at Dell SecureWorks have uncovered the Stegoloader malware lurking in a huge number of images by means of digital steganography, which is used by hackers to conceal executable code inside a message or image. The attacker then extracts and runs the malware after it has passed a series of security checks.
The group that developed and spread the Stegoloader malware has been hiding its information-stealing code mostly in PNG files. That means quite a huge volume of PNG images from several legit hosting websites could contain the malware.
Although there is no proof yet that the malware has been used in targeted attacks, the possibility that it could steal information is not far from reality. On the other hand, what Dell researchers found was that most of the victims targeted by this malware include the education, health care and industry sectors.
The propagation method used in this form of attack comes into play when a user downloads a pirated software. It is also possible that an attacker can launch more modules to scatter the malware even further after grabbing a foothold on a certain network.
After stealing data from a victim, the malware goes on to load more modules used by the attacker to gain entry into documents that a user previously opened or software recently installed. It can also scrape off other data such as browsing history and other important files you may never know were stolen.
The malware is designed to be conscious that it is operating in an environment free from security analysis. Only then would the malware deploy the additional modules. Or if the deployment module detects a running security software through the presence of hard coded strings from any security vendor, the malware will not execute.
When the malware does run, it links to a serve and encrypt the communication before downloading the PNG file that contains the malicious code.
And it would be hard for the malware to be found because the PNG file or the decrypted code is not saved in the disk. Not even the most robust signature analysis tool can locate it.
The Stegoloader malware is said to be associated also with pop-up ads, scareware, and ransomware.