Researchers have found evidence of new threat actors using PNG files to deliver malicious payloads.
Both ESET and Avast have confirmed seeing a threat actor going by the name Worok using this method since early September 2022.
Apparently, Worok has been busy targeting high-profile victims, such as government organizations, across the Middle East, Southeast Asia, and South Africa.
The attack is a multi-stage process, in which the threat actors use DLL sideloading to execute the CLRLoader malware which, in turn, loads the PNGLoader DLL, capable of reading obfuscated code hiding in PNG files.
That code translates to DropBoxControl, a custom .NET C# infostealer that abuses Dropbox file hosting for communication and data theft. This malware seems to support numerous commands, including running cmd /c, launching an executable, downloading and uploading data to and from Dropbox, deleting data from target endpoints, setting up new directories (for additional backdoor payloads), and extracting system information.
Given its toolkit, the researchers believe Worok to be the work of a cyberespionage group that works quietly, likes to move laterally across target networks, and steal sensitive data. It also seems to be using its own, proprietary tools, as the researchers haven’t observed them being used by anyone else.
Worok uses “least significant bit (LSB) encoding”, embedding tiny pieces of malicious code in the least important bits of the image’s pixels, it was said.
Steganography appears to be growing increasingly popular as a cybercrime tactic. In a similar vein researchers from Check Point Research (CPR) recently found a malicious package on the Python-based repository PyPI that uses an image to deliver a Trojan malware (opens in new tab)called apicolor, largely using GitHub as a distribution method.
The seemingly benign package downloads a picture from the web, and then installs extra tools that process the picture, and then trigger the processing generated output using the exec command.
One of those two requirements is the judyb code, a steganography module capable of revealing hidden messages within pictures. That led the researchers back to the original picture which, it turns out, downloads malicious packages from the web to the victim’s endpoint (opens in new tab).