US Healthcare Organizations Most Affected by Stegoloader Trojan

Most victims of the Stegoloader Trojan, which has recently been making its rounds in the news, are observed to come from healthcare organizations in North America.  The malware known as TROJ_GATAK has been active since 2012 and uses steganography techniques to hide components in .PNG files.

Looking at recent victims of the Stegoloader malware, we observed that majority of the infected machines counted for the last three months came from the United States (66.82%), followed by Chile (9.10%) and Malaysia (3.32%).

  • United States    66.82%
  • Chile                   9.10%
  • Malaysia            3.32%
  • Norway              2.09%
  • France                1.71%
  • Others                16.96%

In the same duration, we saw that the most affected organizations came from the healthcare, financial, and manufacturing industries.

Figure 1. TROJ_GATAK infection count per industry in the last three months

Notably, all healthcare organizations affected by the malware came from the North American region. Trend Micro researchers are currently looking into how cybercriminals can use this for organized attacks, although evidences are yet to be found.

There have been recent successful breaches exposing millions of customer files of healthcare organizations like Anthem and Premera Blue Cross. Although yet to be seen in attacks, steganography can potentially be a new technique cybercriminals looking to perform healthcare attacks can use to expose medical records in the future.

Steganography, a Picture of Spying

In a previous article on steganography and malware, we noted how the technique of embedding malicious code in image files to evade detection will only become more popular especially among the more industrious malware groups out there.

The reemergence of TROJ_GATAK and its apparent focus on certain regions and industries show that cybercriminals continually experiment with the creative uses of steganography for spreading threats.

When we first blogged about the malware in January 2014, the TROJ_GATAK.FCK variant was bundled with key generators for various applications and FAKEAV is its final payload.

The final payload for the three recent samples of the malware, TROJ_GATAK.SMJV, TROJ_GATAK.SMN, and TROJ_GATAK.SMP are under analysis.

Note that the routines from variants of past years remain the same. The malware is downloaded from the Internet by users who believe it to be key generators or keygens. Once downloaded, it poses as a legitimate file related to Skype or Google Talk. It eventually downloads the stock photo where a huge part of its routines is embedded. The following are samples of photos used by the malware to embed malicious components:

Figure 2. Sample images downloaded by TROJ_GATAK

The malware has anti-Vm and anti-emulation capabilities, allowing it to avoid analysis.

Past attacks using steganography have been noted to use interesting but seemingly harmful sunset and cat photos to target online bank accounts. Although the technique of using photos quite old, its ability to help cybercriminals and threat actors evade detection remain a strong reason for its continuous use in the wild.

Here are the SHA1 hashes related to the malware reported above:









You can read more about steganography in the following posts:

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

US Healthcare Organizations Most Affected by Stegoloader Trojan

Read more: US Healthcare Organizations Most Affected by Stegoloader Trojan

Story added 24. June 2015, content source with full text you can find at link above.