Researchers Decode The Stegomalware Surge. What does it mean?

The cyber monitoring firm, Cyble detected a massive Stegomalware surge, highlighting the notorious malware that uses steganography to hinder detection.

The Cyble Research Labs observed the findings in its routine threat-hunting exercise. On August 4, 2022, it shared an in-depth analysis of the malware and how companies can protect their valuable data against Stegomalware.

The firm also shared valuable insights into the growth of malware and how it has been multiplying over time. The organization published a comprehensive study detailing how it found the malware, its reasons for sudden growth, and some cybersecurity practices to establish the first line of defense against cybercriminals.

Here is a trimmed-down version of the Stegomalware analysis.

Stegomalware surge

The company observed the malware from May to July via a distribution chain of Stegomalware on VirusTotal. In the first instance, the company monitored the malware’s existence for over 90 days. In its findings, the malware was spotted over 1,800 times on Image Steganography.

In the second instance, the company tried recreating the malware using steganography. The purpose of this experimentation was linked to how accessible Stegomalware is and how effortless it is to create one using a simple spyware Trojan.

To create a new Stegomalware, the company used a sample of Agent Tesla, an extremely popular spyware Trojan written for the .NET framework. In its raw form, the sample was detected 58/70 times on VirusTotal.

After converting the raw malware into a JPG file with a malicious executable file attached in the background, the final product was detected only 4/59 times on VirusTotal. The experiment showed how obscure Stegomalware is and why it depends on steganography.

Attacks by Stegomalware

On its official website, Cyble provided the findings and a list of recent attacks carried by or aided through Stegomalware. The report also stated that the two attacks happened in July 2022. In the first attack, malicious shell scripts and malware payloads were disseminated to Alibaba OSS Buckets using steganography as the entry point. The same method was used in the second event, where KNOTWEED malware was used to hide Corelump in JPEG files.

In both cases, the malware was concealed within the files, leaving the target parties simply seeing the image. Instead of exploiting an image file, this harmful method uses other programs to propagate malicious code into the system files without the user’s awareness.

How to deal with Stegomalware surge and other malware

At the end of the report, Cyble released its first line of defenses for dealing with notorious malware, such as Stegomalware. Here is a quick look at the best practices to follow:

1. Keep up with the latest attack technologies by famous Threat Actors.
2. Monitor threats on a network level. Use a secure antivirus system across all your devices.
3. Deploy Data Loss Prevention (DLP) services on employees’ systems. Check suspicious images carefully and verify signatures and properties.
4. Verify the source before downloading any file.
5. Update your passwords at regular intervals.
6. Verify the authenticity of the email before opening it.