As shown above, the image looks perfectly normal to the naked eye. When enhanced, though, you can see a pixel pattern that secretly contains malicious QR-like code. Another script scans, extracts and runs the code using a known Internet Explorer vulnerability, then checks the machine again for packet capturing, sandboxing, VMs and other security-enhancing products. It also checks the graphics and security drivers to confirm it’s running on an actual PC.
From there, it loads a 1-pixel iFrame off the screen and redirects via a TinyURL to a new exploit site. The landing page checks for the presence of Internet Explorer and loads a Flash file that contains another Flash file. The latter can serve up one of three exploits, depending on the version of Flash that it finds. To check, it passes information back to the server, encoded again as a GIF file. The server passes back a code to denote one of three Flash vulnerability exploits, along with the required password shell code to download the final payload.
It does yet another check for certain file types to ensure it’s not being snooped on by a security analyst. If nothing is detected, the payload is downloaded and launched. From there, you can be infected with a backdoor, keylogger, screenshot maker and video maker. At that point, thieves can steal any file, and as mentioned, they’ve been targeting the banking sector and probing for weaknesses that would presumably allow them to steal or extort cash.
All of that seems pretty elaborate, but it apparently paid off. “The Stegano exploit kit has been trying to fly under the radar since at least 2014,” the team says, and until now, no one spotted it (there’s no word of any successful exploits, though). All of this could be avoided by by “running fully patched software and using a reliable, updated internet security solution,” the Eset researchers say. (Eset sells just such a product, naturally.) And of course, by not using Internet Explorer in the first place.