Stegoloader: A Stealthy Information Stealer by Dell SecureWorks Counter Threat Unit™ Threat Intelligence.
Summary:
Malware authors are evolving their techniques to evade network and host-based detection mechanisms. Stegoloader could represent an emerging trend in malware: the use of digital steganography to hide malicious code. The Stegoloader malware family (also known as Win32/Gatak.DR and TSPY_GATAK.GTK despite not sharing any similarities with the Gataka banking trojan) was first identified at the end of 2013 and has attracted little public attention. Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers have analyzed multiple variants of this malware, which stealthily steals information from compromised systems. Stegoloader’s modular design allows its operator to deploy modules as necessary, limiting the exposure of the malware capabilities during investigations and reverse engineering analysis. This limited exposure makes it difficult to fully assess the threat actors’ intent. The modules analyzed by CTU researchers list recently accessed documents, enumerate installed programs, list recently visited websites, steal passwords, and steal installation files for the IDA tool.
A bit more of the analysis from the post:
Stegoloader’s deployment module downloads and launches the main module; it does not have persistence. Before deploying other modules, the malware checks that it is not running in an analysis environment. For example, the deployment module monitors mouse cursor movements by making multiple calls to the GetCursorPos function. If the mouse always changes position, or if it does not change position, the malware terminates without exhibiting any malicious activity.
In another effort to slow down static analysis, most of the strings found in the binary are constructed on the program stack before being used. This standard malware technique ensures that strings are not stored in clear text inside the malware body but rather are constructed dynamically, complicating detection and analysis.
Before executing its main function, Stegoloader lists the running processes on the system and terminates if a process name contains one of the strings in Table 1. Most of the strings represent security products or tools used for reverse engineering. Stegoloader does not execute its main program code if it detects analysis or security tools on the system.
Pay particular attention to the use of “standard malware” in this and other posts. You won’t impress your management or other IT folks by proclaiming a vulnerability to be “zero-day” or “state enterprise malware,” only to find that it is a standard technique of hackers everywhere.
Stegoloader is reported to be the third malware family to use digital steganography.
Great read! Well, if you like reading about the details of malware anyway.
PS: Do you think the digital steganography techniques discussed would be useful for transmission of smallish topic maps that are dynamically constructed and that are destroyed when an application exits? That is no text version of the topic map for search or copying by unfriendly forces?
Given the reported storage of “smart” phones, etc. searching all the images and applying all the possible transforms could take a while. (Read “heat death of the universe.”) Come to think of it, while the topic map concealed in digital steganography is on your phone, you could access a website that supplies the key to unlock the map. On lose of connection or termination, the map simply disappears.
It would always be available, assuming you go to the correct site but just out of the reach of nosy neighbors and others.
Something like “Now You Don’t” (NYD) for a product name I think. Yes?
I don’t think the NYPD has any time on:
Rank Site System 1 National Super Computer Center in Guangzhou, China Tianhe-2 (MilkyWay-2) 2 DOE/SC/Oak Ridge National Laboratory, United States Titan 3 DOE/NNSA/LLNL, United States Sequoia – BlueGene/Q 4 RIKEN Advanced Institute for Computational Science (AICS), Japan K computer 5 DOE/SC/Argonne National Laboratory, United States Mira 6 Swiss National Supercomputing Centre (CSCS), Switzerland Piz Daint 7 Texas Advanced Computing Center/Univ. of Texas, United States Stampede 8 Forschungszentrum Juelich (FZJ), Germany JUQUEEN 9 DOE/NNSA/LLNL, United States Vulcan 10 Government, United States Cray CS-Storm
the top ten (10) systems as of November 2014.
The images need to resist decryption, at a minimum, until you can make bail. Properly done, I suspect your images, concealing a topic map, could resist decryption for far longer than that. (That is a suspicion, not a warranty.)
Perhaps the most amusing part of such an approach would be to use campaign images from candidates for public office in the five boroughs as the only images on the phone. Even the most dedicated officers would tire of looking at that rogues gallery. 😉