Most victims of the Stegoloader Trojan, which has recently been making its rounds in the news, are observed to come from healthcare organizations in North America. The malware known as TROJ_GATAK has been active since 2012 and uses steganography techniques to hide components in .PNG files.
Looking at recent victims of the Stegoloader malware, we observed that majority of the infected machines counted for the last three months came from the United States (66.82%), followed by Chile (9.10%), Malaysia (3.32%), Norway (2.09%), and France (1.71%).
In the same duration, we saw that the most affected organizations came from the healthcare, financial, and manufacturing industries.
Figure 1. TROJ_GATAK infection count per industry in the last three months
Notably, all healthcare organizations affected by the malware came from the North American region. Trend Micro researchers are currently looking into how cybercriminals can use this for organized attacks, although evidences are yet to be found.
There have been recent successful breaches exposing millions of customer files of healthcare organizations like Anthem and Premera Blue Cross. Although yet to be seen in attacks, steganography can potentially be a new technique cybercriminals looking to perform healthcare attacks can use to expose medical records in the future.
Steganography, a Picture of Spying
In a previous article on steganography and malware, we noted how the technique of embedding malicious code in image files to evade detection will only become more popular especially among the more industrious malware groups out there.
The reemergence of TROJ_GATAK and its apparent focus on certain regions and industries show that cybercriminals continually experiment with the creative uses of steganography for spreading threats.
Note that the routines from variants of past years remain the same. The malware is downloaded from the Internet by users who believe it to be key generators or keygens. Once downloaded, it poses as a legitimate file related to Skype or Google Talk. It eventually downloads the stock photo where a huge part of its routines is embedded. The following are samples of photos used by the malware to embed malicious components:
Figure 2. Sample images downloaded by TROJ_GATAK
The malware has anti-Vm and anti-emulation capabilities, allowing it to avoid analysis.
Past attacks using steganography have been noted to use interesting but seemingly harmful sunset and cat photos to target online bank accounts. Although the technique of using photos quite old, its ability to help cybercriminals and threat actors evade detection remain a strong reason for its continuous use in the wild.
Here are the SHA1 hashes related to the malware reported above:
You can read more about steganography in the following posts:
- Steganography Part 1: Why and How
- Steganography Part 2: Concealing Code and C&C Traffic
- Steganography Part 3: Final Thoughts
Update as of June 29, 2015, 12:32A.M. PDT (UTC-7):
The following keyloggers (detected as TROJ_DROPPER.GTK) are confirmed related to this attack:
- CompuApps_SwissKnife_Premium_v3_37_keygen.exe (790528 bytes)
- DigiEffects_Suite_AEX_v3_0_0_CE_64_bit_keygen.exe (865842 bytes)
We also added hashes for TROJ_GATAK.SMP above.