Stegoloader
Posted: June 17, 2015
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 7/10 |
|---|---|
| Infected PCs: | 7 |
| First Seen: | June 17, 2015 |
|---|---|
| Last Seen: | September 9, 2021 |
| OS(es) Affected: | Windows |
Stegoloader (or Win32/Gatak) is a spyware program that uses image files to hide some of its components from being identifiable as threats. Illicit software downloads are Stegoloader's only confirmed infection vector, and malware experts have seen Stegoloader infections also including other malware, such as password collectors and components of the Pony botnet. Due to its multiple component structure, deleting Stegoloader should use anti-malware products that are capable of scanning your system as thoroughly as possible for eliminating all likely security issues.
A Picture Worth a Thousand Infections
Stegoloader is one of many high-level threats verified for using steganography or the art of concealing information (such as a program's code) in an image file. Other threats seen using similar techniques without any direct relationship to Stegoloader include the Zberp Trojan, the backdoor Trojan MiniDuke trojan, Shady Rat, and the Alureon rootkit. Like them, Stegoloader is a high-level threat including advanced methods for collecting information and concealing itself, with a handful of other features for compromising the PC's general security.
Stegoloader has yet to be seen being installed in targeted campaigns against specific organizations but is being distributed randomly in compromised, pirated software downloads. Victims who launch the downloaded file also launch a loader component that downloads Stegoloader's central component, which disguises itself as a PNG image file. This image file contains the code needed to install Stegoloader's main body, which could, in turn, use software exploits for installing other malware.
Besides its potential for downloading other threats, malware analysts have highlighted the following, distinctive Stegoloader features:
- Stegoloader may include additional features for evading security analysis besides its steganography, such as the RC4 data encryption, self-termination for machines with no mouse activity, detecting specialized security tools and using dynamic string construction.
- Stegoloader may harvest basic system information, including which programs have been installed, your Web browser's history and any recently-opened documents. Firefox, Internet Explorer and Chrome are specific targets.
- The Stegoloader spyware also operates as a limited trojan downloader by installing a Pony botnet-based password stealer that could grant criminals access to your personal login data.
- In the event of its administrators rating an infected machine as a viable target, Stegoloader may accept optional attack commands from a remote server.
Stopping a Picture from Loading All Your Accounts
Stegoloader may be installed with members of the Virtumonde family of Trojans, which is infamous for its abuse of pop-up warnings. However, by itself, Stegoloader shows no symptoms of any notable visibility. Its memory-resident format also may make it difficult for PC users to identify obvious files or processes associated with Stegoloader's components. Updated anti-malware products continue to be the best after-the-fact means of deleting Stegoloader and similarly high-level threats.
On the other hand, stopping common threat distribution channels also can provide an equally important form of protection for any PC. Since Stegoloader requires its victims to install an illicit program prior to gaining access, its sophisticated defenses are easily stopped by anyone willing to check their downloading habits. To date, malware researchers have seen no signs of Stegoloader's campaign using non-consensual browser exploits, e-mail attachments or other methods that could harm even law-abiding PC owners.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.