A researcher discovered a ransomware embedded into a downloadable Super Mario image using steganography method. Matthew Rowen, a security researcher from Bromium, an advanced malware protection services provider, stated he encountered a spreadsheet that contained a trojan sample during his analysis.
“A few days ago, I was investigating a sample piece of malware where our static analysis flagged a spreadsheet as containing a Trojan, but the behavioral trace showed very little happening. This is quite common for various reasons, but one of the quirks of how we work at Bromium is that we care about getting malware to run and fully detonate within our secure containers. This enables our customers to understand the threats they are facing, and to take any other remedial action necessary without any risk to their endpoints or company assets. Running their malware actually makes our customers more secure,” Matthew Rowen stated in a post.
“Steganographic techniques such as using the low-bits from pixel values are clearly not new, but it’s rare that we see this kind of thing in malspam; even at Bromium, where we normally see slightly more advanced malware that evaded the rest of the endpoint security stack. It’s also pretty hard to defend against this kind of traffic at the firewall,” Rowen added.
The attackers send emails with an attached spreadsheet that has an embedded malware and a macro. The attachment prompts the user to click on enable content link in order to deploy the malware. The researcher stated the malware firstly checks the region to make sure that the device is based out in Italy relying on the administrative language of the operating system. The malware will not deploy if the device is not based in Italy.
Once the user downloads the malware, it connects to the remote server and downloads the Gandcrab ransomware to infect the user’s device and encrypt the files and demand the ransom to provide the file access back, according to Rowen.