A stealthy modular version of the Stegoloader banking trojan is spreading through malicious PNG files, according to researchers at Dell SecureWorks' Counter Threat Unit (CTU).
The CTU researchers reported uncovering the variant in a threat advisory, warning that the malware has an advanced modular architecture capable of dodging many traditional security tools.
"Malware authors are evolving their techniques to evade network and host-based detection mechanisms. Stegoloader could represent an emerging trend in malware: the use of digital steganography to hide malicious code," read the advisory.
"Stegoloader has a modular design and uses digital steganography to hide its main module's code inside a PNG image downloaded from a legitimate website."
The researchers said that the modular design makes a full analysis of the malware close to impossible.
"Stegoloader's modular design allows its operator to deploy modules as necessary, limiting the exposure of the malware capabilities during investigations and reverse engineering analysis," read the advisory.
"This limited exposure makes it difficult to fully assess the threat actors' intent. The modules analysed by CTU researchers list recently accessed documents, installed programs and recently visited websites, and steal passwords and installation files."
The modular design takes a cautious strategy that lets the malware authors check to see whether the victim system is running security software before deploying tools that could raise suspicion.
Stegoloader's deployment module downloads and launches the main module, and checks that it is not running in an analysis environment before deploying other modules.
"In another effort to slow down static analysis, most of the strings found in the binary are constructed on the program stack before being used," read the advisory.
"[Additionally] before executing its main function, Stegoloader lists the running processes on the system and terminates if a process name contains one of the strings.
"Most of the strings represent security products or tools used for reverse engineering. Stegoloader does not execute its main program code if it detects analysis or security tools on the system."
The tools mean that the full remit of modules and attack tools being used by the Stegoloader group remain unknown, although the CTU has reported finding modules that steal geographic localisation, history, password and interactive disassembler.
The tools let the hackers access a variety of information, including public IP addresses, recently opened documents and application log-in credentials.
It is currently unclear how many businesses have been infected with the Stegoloader variant, although CTU said that is being sold through an unnamed software piracy website and is being used to target the healthcare, education and manufacturing industries.
Stegoloader is one of many malware types to receive a technical upgrade in recent weeks. An evolved version of the Duqu worm was found targeting businesses, governments and individuals involved in international negotiations concerning Iran's nuclear programme earlier in June.
Q3 losses reverse Q2 gains
FBI briefing US companies to dump Kaspersky, claiming intelligence prove it a 'threat to national security'
Kaspersky rejects FBI accusations that its products are a 'threat to national security'
But breached contractor says that it simply didn't have that much data
EE follows Three in threatening legal action against Ofcom - but for entirely different reasons