Virus Bulletin: Keeping Up with the Stegoloader Trojan

As CYREN’s GlobalView security cloud churns through billions of pieces of information every day, our researchers are busy examining how certain threats work in order to make the whole automated system continuously smarter.

VB

Certain threats we find represent marked “advances” in intrusion techniques. A deep dive on the mechanics of one notable recent “advance” was published today by Virus Bulletin. Lordian Mosuela, one of our anti-malware experts, walks through a new development in the notorious history of the Stegoloader trojan, which was initially detected by CYREN last year as W32/Gatak and is used principally as a distribution vehicle for malware which steals sensitive information or installs the scourge of the moment, ransomware.

The attention-grabbing aspect of this is a new method used to evade detection, giving us a “next gen” Stegoloader. The academic term of art for this new class of hiding technique is “digital steganography,” but we can just call it sinister and sneaky.

The article serves as another reminder that the cybercriminal enterprises behind these “products” are smart and sophisticated, and evolve their wares constantly as a market response. As Lordian notes, we are in an arms race, to which we at CYREN are applying not only massive cloud computing and big data heuristics, but some good old-fashioned sleuthing as well.