Spirituality

Latest In

Spirituality

More Malware Is Hiding In PNG Images - A New Study About Phishing

Since early September 2022, a threat actor going under the name Worok has been seen by both ESET and Avast utilizing this technique. Worok has apparently been active in the Middle East, Southeast Asia, and South Africa, focusing on high-profile victims including government institutions.

Author:Suleman Shah
Reviewer:Han Ju
Nov 14, 2022
683 Shares
97.6K Views
New report by researchers showed that more malware is hiding in PNG images. Since early September 2022, a threat actor going under the name Worok has been seen by both ESET and Avast utilizing this technique. Worok has apparently been active in the Middle East, Southeast Asia, and South Africa, focusing on high-profile victims including government institutions.
Additional artifacts captured by Avast during Worok attacks are the basis for the report; these confirm ESET's hypotheses about the PNG files' origins while also providing new details about the malware payloads and data exfiltration technique.

Multi-staged Attack

Using DLL sideloading, the attackers first execute the CLRLoader malware, which then loads the PNGLoader DLL, which can decipher the obfuscated code buried in PNG files. This is the first step of a multi-stage assault.
This text translates to DropBoxControl, a bespoke.NET C# information stealer that uses Dropbox as a conduit for illicit communication and data exfiltration. Multiple operations, such as cmd /c, starting an executable, downloading and uploading to Dropbox, removing data from target endpoints, creating new folders (for further backdoor payloads), and extracting system information, seem to be supported by this virus.
Based on the toolset, the researchers have concluded that Worok was created by a stealthy cyber-espionage gang that prefers to operate laterally across target networks in order to acquire confidential information. In addition, it seems to use its own in-house tools, since the researchers saw no evidence of the tools being utilized by any other parties.
Worok employs "least significant bit (LSB) encoding," which is explained as the practice of hiding harmful code in the image's least significant bits of pixels.
The use of steganography in cybercrime seems to be on the rise. Check Point Research (CPR) discovered a malicious package on the Python-based repository PyPI that distributes the trojan virus(opens in new tab) apicolor through an image. This malware was widely spread via GitHub.
This apparently innocuous package downloads a picture from the internet, installs extra tools to process the image, and then uses the exec command to activate the output created by the processing.

DropBox Abuse

A hacked system may send data and orders to an actor-controlled DropBox account, or upload files to that account, using the "DropBoxControl" virus.
The virus regularly retrieves the instructions from encrypted files stored in the threat actor's DropBox repository.
These are the commands that can be used:
  • Execute the command "cmd /c" with the supplied info.
  • Invoke a program with specified arguments.
  • Get your DropBox files onto your gadget.
  • Send information from the gadget to Dropbox.
  • Purge the victim's hard drive of all data.
  • Shift the victim's data to a new name
  • Learn about the files in a specified folder and extract their metadata.
  • Change the location of the backdoor Exfiltrate sensitive data from the system
  • Modify the settings of the backdoor
Worok's focus on covert data exfiltration, lateral movement, and device surveillance all point to it being a cyberespionage outfit. The tools taken from Worok assaults aren't widely utilized, according to Avast's analysis, therefore they are likely only used by the threat organization itself.
Video unavailable
This video is unavailable: Original link to video

Final Words

The steganography module that decodes judyb codes to expose secret messages in photos is one of the two necessities. This led them back to the original picture, which, as it turned out, downloaded malicious packets from the internet to the victim's endpoint.
Jump to
Suleman Shah

Suleman Shah

Author
Suleman Shah is a researcher and freelance writer. As a researcher, he has worked with MNS University of Agriculture, Multan (Pakistan) and Texas A & M University (USA). He regularly writes science articles and blogs for science news website immersse.com and open access publishers OA Publishing London and Scientific Times. He loves to keep himself updated on scientific developments and convert these developments into everyday language to update the readers about the developments in the scientific era. His primary research focus is Plant sciences, and he contributed to this field by publishing his research in scientific journals and presenting his work at many Conferences. Shah graduated from the University of Agriculture Faisalabad (Pakistan) and started his professional carrier with Jaffer Agro Services and later with the Agriculture Department of the Government of Pakistan. His research interest compelled and attracted him to proceed with his carrier in Plant sciences research. So, he started his Ph.D. in Soil Science at MNS University of Agriculture Multan (Pakistan). Later, he started working as a visiting scholar with Texas A&M University (USA). Shah’s experience with big Open Excess publishers like Springers, Frontiers, MDPI, etc., testified to his belief in Open Access as a barrier-removing mechanism between researchers and the readers of their research. Shah believes that Open Access is revolutionizing the publication process and benefitting research in all fields.
Han Ju

Han Ju

Reviewer
Hello! I'm Han Ju, the heart behind World Wide Journals. My life is a unique tapestry woven from the threads of news, spirituality, and science, enriched by melodies from my guitar. Raised amidst tales of the ancient and the arcane, I developed a keen eye for the stories that truly matter. Through my work, I seek to bridge the seen with the unseen, marrying the rigor of science with the depth of spirituality. Each article at World Wide Journals is a piece of this ongoing quest, blending analysis with personal reflection. Whether exploring quantum frontiers or strumming chords under the stars, my aim is to inspire and provoke thought, inviting you into a world where every discovery is a note in the grand symphony of existence. Welcome aboard this journey of insight and exploration, where curiosity leads and music guides.
Latest Articles
Popular Articles