Researchers have found evidence that new cybercriminals are using PNG files to deliver malicious payloads.
Both ESET and Avast confirmed that they had seen an attacker named Worok since early September 2022.
Apparently, Worok was busy targeting high-profile victims such as government organizations in the Middle East, Southeast Asia, and South Africa.
The attack is a multi-step process where cybercriminals use DLL sideloading to launch the CLRLoader malware, which in turn loads the PNGLoader DLL capable of reading obfuscated code hidden in PNG files.
This code translates to DropBoxControl, a custom .NET C# infostealer that uses Dropbox file hosting to communicate and steal data. This malware seems to handle many commands, including running cmd /c, running an executable, downloading and uploading data to and from Dropbox, deleting data from target endpoints, setting up new directories (for additional backdoor payloads), and extracting information system.
Given its toolkit, researchers believe that Worok is the work of a cyberespionage group that operates silently, likes to move across target networks and steal sensitive data. It also seems to use its own proprietary tools, as researchers have not observed them being used by anyone else.
Worok was said to use “least significant bit (LSB) coding”, embedding small pieces of malicious code into the least significant bits of image pixels.
Steganography seems to be increasingly popular as a cybercrime tactic. In a similar vein, Check Point Research (CPR) researchers recently discovered a malicious package in the Python-based PyPI repository that uses an image to deliver Trojan malware (opens in a new tab) called apicolor, mainly using GitHub as the distribution method.
The seemingly innocuous package downloads an image from the web, then installs additional tools that process the image, and then run the generated processing output with the exec command.
One of these two requirements is the judyb code, a steganographic module capable of revealing hidden messages in images. This led the researchers back to the original image, which appears to be downloading malicious packets from the network to the victim’s endpoint. (opens in a new tab).
By: Beeping Computer (opens in a new tab)