JPEG Files Used For Targeted Attack MalwareNovember 29, 2013 – 7:04 AM
We recently came across some malware of the SOGOMOT and MIRYAGO families that update themselves in an unusual way: they download JPEG files that contain encrypted configuration files/binaries. Not only that, we believe that this activity has been ongoing since at least the middle of 2010. A notable detail of the malware we came across is that these malware hide their configuration files. These JPEGs are located on sites hosted in the Asia-Pacific region, and we believe that these malware families are used in targeted attacks in the region as well.
Analysis of the JPEG updates
While the contents of the JPEG file are encrypted, we were able to decrypt and analyze the contents of these files. We can divide these into three groups:
- configuration file (Type A)
- configuration file (Type B)
- binary content (either DLL or EXE files)
The first kind of configuration file (Type A) is similar to what we’ve seen with other malware. It contains information that allows the malware to process commands from an attacker, change settings/modules, and update itself. Among these settings are URLs where other malicious JPEG files are hosted. In addition, these files indicates that the attacker may have already compromised the targeted organization(s), as some of the information pertains to specific machines or individuals within.