Thursday, March 26, 2015
Tor-fuelled Trojan gets stealthy with steganography
Senior AVG developer Jakub Kroustek found that this constantly evolving piece of financial malware that uses fairly typical API hooking and injection techniques to steal login credentials, financial data, private keys and ultimately execute transactions from compromised accounts is anything but typical upon closer examination. In a white paper which goes into some depth regarding the technologies implemented by Vawtrak, Kroustek shows this variant has been using steganography to hide update files in tiny 4Kb encrypted favicon graphics that are in turn distributed using the Tor network via a proxy. This use of steganography, where data can be hidden inside the white space (or Least Significant Bits as this is known) of image files without being detected, has allowed Vawtrak to embed command and control server URLs.