The once popular and extremely stealthy exploit kit, Stegano, has recently reemerged after laying low since 2014. Stegano targets users in the banking and financial services industry, specifically those who are running Windows machines or using Internet Explorer with Flash installed. The exploit kit aims at stealing information, data exfiltration, and capturing screenshots of victims’ computers.
HOW DOES IT WORK?
Stegano utilizes banner ads, each promoting either the application “Browser Defence” or “Broxu,” with malicious script embedded in each graphic. While the threat is embedded in the malicious ad, no interaction between the end user and the threat is required for execution.
At first, the exploit kit fingerprints the infected machine using CVE-2016-0162, to ensure that it isn’t a researcher’s machine or sandbox environment, and decides whether to continue the attack or not. In order to carry out the full attack, it will leverage one of three Flash vulnerabilities: CVE-2015-8651, CVE-2016-1019 or CVE-2016-4117. If the exploit kit continues with the attack, the vulnerability will be used to deliver a highly obfuscated Flash file. Downloaders are used to decrypt and launch the final payloads. The types of payloads used in this attack include backdoors, banking Trojans, spyware, file stealers and Trojan downloaders.
It is worth noting that the shellcode of Stegano has some advanced, malicious characteristics. It resolves many critical functions, including WinHTTP, and downloads its payload from “predi.ridgecrestsolutions.com.”
WHY IS IT UNIQUE?
Traditional antivirus has difficulty identifying Stegano, as the exploit kit uses multiple self-concealment techniques, including scanning for the presence of antivirus prior to downloading the payload. Additionally, the file is executed in computer memory without the user having to first download an executable file, click on and run it. This leaves nothing written on the disk for legacy antivirus to scan or detect based on any available signature files.
HOW DO YOU STOP IT?
With the sophisticated evasion techniques Stegano employs, endpoint security solutions cannot rely solely on signature detection to successfully identify this threat. Palo Alto Networks Traps advanced endpoint protection focuses on the core exploit techniques themselves rather than relying on signatures. Focusing on the techniques allows Traps to detect the malicious code running within the infected memory’s process as it attempts to access and modify protected data sections. With its advanced exploit prevention capabilities, Traps is able to stop the attack before any of the Flash vulnerabilities can be exploited, preventing any payload from being executed on the attacked endpoint.