New report by researchers showed that more malware is hiding in PNG images. Since early September 2022, a threat actor going under the name Worok has been seen by both ESET and Avast utilizing this technique. Worok has apparently been active in the Middle East, Southeast Asia, and South Africa, focusing on high-profile victims including government institutions. Additional artifacts captured by Avast during Worok attacks are the basis for the report; these confirm ESET's hypotheses about the PNG files' origins while also providing new details about the malware payloads and data exfiltration technique.
Using DLL sideloading, the attackers first execute the CLRLoader malware, which then loads the PNGLoader DLL, which can decipher the obfuscated code buried in PNG files. This is the first step of a multi-stage assault.
This text translates to DropBoxControl, a bespoke.NET C# information stealer that uses Dropbox as a conduit for illicit communication and data exfiltration. Multiple operations, such as cmd /c, starting an executable, downloading and uploading to Dropbox, removing data from target endpoints, creating new folders (for further backdoor payloads), and extracting system information, seem to be supported by this virus.
Based on the toolset, the researchers have concluded that Worok was created by a stealthy cyber-espionage gang that prefers to operate laterally across target networks in order to acquire confidential information. In addition, it seems to use its own in-house tools, since the researchers saw no evidence of the tools being utilized by any other parties.
Worok employs "least significant bit (LSB) encoding," which is explained as the practice of hiding harmful code in the image's least significant bits of pixels.
The use of steganography in cybercrime seems to be on the rise. Check Point Research (CPR) discovered a malicious package on the Python-based repository PyPI that distributes the trojan virus(opens in new tab) apicolor through an image. This malware was widely spread via GitHub.
This apparently innocuous package downloads a picture from the internet, installs extra tools to process the image, and then uses the exec command to activate the output created by the processing.
A hacked system may send data and orders to an actor-controlled DropBox account, or upload files to that account, using the "DropBoxControl" virus.
The virus regularly retrieves the instructions from encrypted files stored in the threat actor's DropBox repository.
These are the commands that can be used:
- Execute the command "cmd /c" with the supplied info.
- Invoke a program with specified arguments.
- Get your DropBox files onto your gadget.
- Send information from the gadget to Dropbox.
- Purge the victim's hard drive of all data.
- Shift the victim's data to a new name
- Learn about the files in a specified folder and extract their metadata.
- Change the location of the backdoor Exfiltrate sensitive data from the system
- Modify the settings of the backdoor
Worok's focus on covert data exfiltration, lateral movement, and device surveillance all point to it being a cyberespionage outfit. The tools taken from Worok assaults aren't widely utilized, according to Avast's analysis, therefore they are likely only used by the threat organization itself.
The steganography module that decodes judyb codes to expose secret messages in photos is one of the two necessities. This led them back to the original picture, which, as it turned out, downloaded malicious packets from the internet to the victim's endpoint.