Share this article on:
Back in 2013 a new form of malware was discovered which was capable of stealing information from the system on which it was installed – as with other malware – however, this variant differs in that it hides in PNG image files, making it look innocuous. The malware has recently been discovered to be having something of a resurgence, and healthcare providers are being targeted.
Risk of Malware Transmission via PNG Images
The Trojan works using a process called digital steganography. Steganography has Greek origins, and roughly translates as “covered writing”. The technique allows hackers to hide bits of code within the image pixels or other part of the image such as the header section.
The Danger of the Stegoloader Trojan
The Stegoloader Trojan family is otherwise known as Win32/Gatak.DR and TSPY_GATAK.GTK according to Dell SecureWorks. The latest variants of the malicious software identified by Trend Micro are TROJ_GATAK.SMJV, TROJ_GATAK.SMN, and TROJ_GATAK.SMP.
The latest three variants are most commonly acquired from file sharing websites; in particular illegal software and games that require a security key to be entered before the software can be used. When these software packages are shared on P2P sites they often include a program – keygen for example – that generates a security key.
When these programs are run, they not only generate a keyword, they also install malware on the machine. Once the malware is installed, it hides on the computer in a directory belonging to a commonly used program such as Skype. The malware will then download a PNG image into that directory. The image will be fully functional, and can be opened, but hidden within that file will be the code that allows usernames, passwords and files to be stolen from the host computer.
The malware includes a number of features that make it hard for it to be identified by anti-virus and anti-malware programs; furthermore different modules can be attached – with different functions – changing the signature; further complicating detection.
When in operation, only single modules are operational at any one time further complicating detection and it only deploys the modules it needs one by one. This makes it particularly difficult to identify while it is running.
Trend Micro Identifies Surge in Stegoloader Activity
Trend Micro noticed a significant increase in the number of Stegoloader Trojan attacks in the past three months and the attacks appeared to be concentrated on healthcare providers, which account for over 42% of infections.
The malware is now a global phenomenon, but 66% of attacks in the past three months took place on U.S companies, the remainder occurred in Chile (9.10%), Malaysia (3.32%), Norway (2.09%), and France (1.71%).
According to Trend Micro, “There have been recent successful breaches exposing millions of customer files of healthcare organizations like Anthem and Premera Blue Cross. Although yet to be seen in attacks, steganography can potentially be a new technique cybercriminals looking to perform healthcare attacks can use to expose medical records in the future.”
Both Trend Micro and Dell also believes this method of malware transmission and infection is likely to become even more prevalent in the future due to the ease at which hackers can get the malware installed and the difficulty with detection once it has been installed.