The LokiBot malware continues to evolve and is now using steganography to cloak its malicious files, according to a report from Trend Micro this week.
Recently highlighted as one of the top three malware strains of 2018, LokiBot started out as a password- and cryptocurrency wallet–stealing malware on hacker forums as early as 2015, but it has evolved, according to Trend Micro. It has taken to abusing the Windows installer and updating the methods that it uses to stay on the victim's system.
Now, Trend Micro has identified a new variant of the malware that uses steganography to help hide its malicious intent. It installed itself as a .exe file, along with a separate .jpg image file. The image file opens, but it also contains data that LokiBot uses when unpacking itself.
This LokiBot variant drops the image and the .exe file into a directory that it creates, along with a Visual Basic script file that runs the LokiBot file. Its unpacking program uses a custom decryption algorithm to extract the encrypted binary from the image.
Trend Micro has seen LokiBot hiding inside image files before. In April, it reported a variant of the malware that hid a .zipx attachment inside a .png file.
Steganography has two benefits for malware authors, warned the researchers. First, it provides another layer of obfuscation, helping the malware to slip past some email security systems. Second, it provides the malware authors with more flexibility. This variant used the VBScript file interpreter to execute the malware rather than relying on the malware to execute itself. This means that the authors can change the script to alter the technique that LokiBot uses to install itself.
Steganography is becoming an increasingly common form of obfuscation for malware authors. Other notable uses of the technique include the Stegoloader backdoor Trojan, and the Vawtrak malware, which hid update files in favicons. The 2019 the VeryMal campaign also used the technique to hide malware in advertising images.