Data Stealing 'Stegoloader' Malware Evades Detection through Hiding in Image Files

Malware infections are known to take on many different forms considering the sophistication many recent threats have gathered from their crafty authors. In the face of what malware was just a few years ago compared to today, some threats are hardly recognizable going by yesterday's scale.

The insurgence of clever malware threats has caught many off guard, including many computer security researchers. As such, the new malware threat known as Stegoloader, also referred to as Win32/Gatak.DR or TSPY_GATAK.GTK, has a method to evade detection through its ability to hide in image files on an infected computer.

The basic modular design of Stegoloader is an initial give away for its deployment initializing hiding its main module within image files. Stegoloader is so advanced that it goes through a process to detect if the PC that it is installed on is a normal system or one running security analysis software.

Through use of a combination of sniffing functions, such as detection of mouse cursor movements or discovering particular security products installed on the system, Stegoloader may decide to terminate its activities to avoid being detected. Additionally, Stegoloader retains its main module for deployment until these checks are completed. Once an all-clear has been given, Stegoloader may then deploy its main module to carry out predefined malicious activities on the infected computer or connect to its server for additional instructions.

Malware like Stegoloader has several components that set it apart from most known threats. These capabilities, including its ability to lay dormant on a system for long periods of time, can lead to serious issues and utter destruction on an infected system.

The malicious activities that Stegoloader has been found to carry are vast. Some of these actions will end up allowing hackers to steal passwords from various applications, execute shellcode, obtain a list of recently-opened files, discover and expose the infected system's geographical location, download web browser histories, and even install other types of malware.

There is no doubt about the severity and potential dangers of Stegoloader. In its infancy during 2013, Stegoloader was nothing more than a threat attempting to gain public attention. At that time, Stegoloader didn't have the ability to perform the plethora of functions that it can now, which is probably why security experts didn't seek additional methods for detecting the threat at the time.

As it turns out, Stegoloader is now a highly efficient and potentially destructive piece of malware that can to morph into different objects to avoid being detected. Not only does this make Stegoloader a popular threat, but it could wage a serious blow to countless infected computers without any apparent road blocks through detection and removal. Until all security researchers are on board with detection and removal solutions for Stegoloader, it is prudent to utilize proactive measures to prevent infection from Stegoloader.