A threat group tracked as ‘Worok’ hides malware within PNG images to infect victims’ machines with information-stealing malware without raising alarms.
This has been confirmed by researchers at Avast, who built upon the findings of ESET, the first to spot and report on Worok’s activity in early September 2022.
ESET warned that Worok targeted high-profile victims, including government entities in the Middle East, Southeast Asia, and South Africa, but their visibility into the group’s attack chain was limited.
Avast’s report is based on additional artifacts the company captured from Worok attacks, confirming ESET’s assumptions about the nature of the PNG files and adding new information on the type of malware payloads and the data exfiltration method.
Hiding malware in PNG files
While the method used to breach networks remains unknown, Avast believes Worok likely uses DLL sideloading to execute the CLRLoader malware loader into memory.
This is based on evidence from compromised machines, where Avast’s researchers found four DLLs containing the CLRLoader code.
Next, the CLRLoader loads the second-stage DLL (PNGLoader), which extracts bytes embedded in PNG files and uses them to assemble two executables.
Worok’s complete infection chain
Hiding payload in PNGs
Steganography is concealing code inside image files that appear normal when opened in an image viewer.
In the case of Worok, Avast says the threat actors used a technique called “least significant bit (LSB) encoding,” which embeds small chunks of the malicious code in the least important bits of the image’s pixels.
LSB on image pixels
The first payload extracted from those bits by PNGLoader is a PowerShell script that neither ESET nor Avast could retrieve.
The second payload hiding in the PNG files is a custom .NET C# info-stealer (DropBoxControl) that abuses the DropBox file hosting service for C2 communication, file exfiltration, and more.
The PNG image containing the second payload is the following:
A PNG image file containing the info-stealer
The ‘DropBoxControl’ malware uses an actor-controlled DropBox account to receive data and commands or upload files from the compromised machine.
The commands are stored in encrypted files on the threat actor’s DropBox repository that the malware accesses periodically to retrieve pending actions.
Form of DropBox files, TaskType is command
The supported commands are the following:
- Run “cmd /c” with the given parameters
- Launch an executable with given parameters
- Download data from DropBox to the device
- Upload data from the device to DropBox
- Delete data on the victim’s system
- Rename data on the victim’s system
- Exfiltrate file info from a defined directory
- Set a new directory for the backdoor
- Exfiltrate system information
- Update the backdoor’s configuration
These functions indicate that Worok is a cyberespionage group interested in stealthy data exfiltration, lateral movement, and spying on the infected device.
Avast comments that the tools sampled from Worok attacks aren’t circulating in the wild, so they’re likely used exclusively by the threat group.
- tmontney – 2 days ago
Just like the Solarwinds breach a couple years ago, (not that it’s easy) it justifies filtering outbound traffic. If they’re not able to access their C&C endpoints, the attack is thwarted.