Researchers have found evidence of new threats using PNG files to deliver malicious payloads.
ESET and Avast have confirmed seeing a threat actor by the name of Worok using this method since early September 2022.
Apparently, Worok has been busy targeting high-profile victims, such as government organizations, throughout the Middle East, Southeast Asia and South Africa.
multi-stage attack
The attack is a multi-stage process, in which the attackers use a DLL sideloader to execute the CLRLoader malware which in turn loads the PNGLoader DLL, which is capable of reading obfuscated code hidden in PNG files.
This code translates to DropBoxControl, a .NET C# infostealer that misuses Dropbox file hosting to communicate and steal data. This malware appears to support several commands, including running cmd /c, launching an executable, downloading and loading data to and from Dropbox, deleting data from target endpoints, setting new directories (for additional backdoor payloads), and extracting system information .
Because of its range of tools, researchers believe that Worok is the work of a quietly operating cyber-espionage group, likes to move sideways across targeted networks, stealing sensitive data. It also appears to be using its own tools, as researchers have not noticed its use by anyone else.
Worok uses Least Significant Bit (LSB) Encoding, embedding small bits of malicious code into the least significant portions of the pixels in an image, it has been said.
Steganography appears to be gaining popularity as a cybercrime tactic. In twenty similar researchers from Check Point Research (CPR), they recently found a malicious package on SerpentAn image-based PyPI repository that uses an image to deliver a Trojan Malware (Opens in a new tab) It’s called apicolor, and is largely used by GitHub as a distribution method.
The seemingly benign package downloads an image from the web, installs additional tools that process the image, and then runs the output generated by the processing with the exec command.
One of these two requirements is the judyb code, which is a steganographic module capable of revealing hidden messages inside images. This led the researchers to revert to the original image, which turned out to be downloading malicious packages from the web to the victim End point (Opens in a new tab).
Across: Computer (Opens in a new tab)