Stegoloader Malware - A Stealthy Evader

SteganographyWith the recent discovery of Stegoloader Malware, we see several of the weaknesses of conventional detection-based malware prevention exposed. Stegoloader is capturing interest because the active malware hides in an image file (PNG) that is delivered to compromised machines.  The PNG image is hosted on a "legitimate site", and is cleverly designed to avoid detection by network sandboxes.  Let's peel this apart and see how it exposes the weaknesses of conventional, detection-based malware prevention systems.


Stegoloader Malware

First, note that the initial phase of the attack starts with the Stegoloader deployment module being installed on the user's machine.  How does this happen?  So far, the only reported initial infection vector is when users unwittingly download Stegoloader from sites hosting "software piracy tools".  Well, we hate to say "it serves you right" but hey, you get what you (don't) pay for.  

Once installed on the target, the Stegoloader deployment module fetches the PNG image that contains the next phase of the attack.  The PNG is hosted on a "legitimate site", i.e. one that wouldn't be blocked by a Web security gateway.  But as we've seen in the State of the Web 2015: Vulnerability Report, over 20% of Web sites run software with known vulnerabilities - including "legitimate" sites.  These sites are easily compromised and used to host payloads like the malicious Stegoloader PNG image.  So it's easy for the Stegoloader PNG payload to pass right through Web security gateways.

How about detection of the malware in the PNG by network sandboxes?  The malware looks for signs that it's being evaluated in a sandbox and simply lays dormant until the sandbox issues a green light and passes the payload through.  Detection foiled again!

There's nothing at all surprising about the Stegoloader attack.  It's a simple matter of evolution:  Malware will continuously evolve to avoid detection, and the newest attacks will always find a way to thwart any method of detection. We believe that a new approach to security - isolation - is the only approach that can consistently eliminate malware.  The point is to forget about trying to detect malware, because in the long run we'll always be fooled.  Isolating and executing user sessions in their entirety, away from the endpoint - and never allowing malicious content to reach the user's device - is the best strategy we have for preventing malware attacks.  

Tags: malware, cybersecurity

Connect with us

Lists by Topic

see all

Recent Posts