Meet Worok, the cyber espionage group hiding malware within PNG image files

In a nutshell: Safety researchers have found a brand new malware risk designed to abuse steganography techniques. Worok seems to be a posh cyber-espionage operation whose particular person phases are nonetheless partially a thriller. The operation’s ultimate goal, nevertheless, has been confirmed by two safety companies.

Worok is utilizing multi-stage malware designed to steal knowledge and compromise high-profile victims, utilizing steganography methods to cover items of the ultimate payload in a plain PNG picture file. The novel malware was first discovered by ESET in September.

The corporate describes Worok as a brand new cyber espionage group that’s utilizing undocumented instruments, together with a steganography routine designed to extract a malicious payload from a plain PNG picture file. A replica of mentioned picture is proven beneath.

The Worok operators had been concentrating on high-profile victims like authorities companies, with a particular give attention to the Center East, Southeast Asia and South Africa. ESET’s data into the risk’s assault chain was restricted, however a brand new evaluation from Avast is now offering extra particulars about this operation.

Avast suggests Worok makes use of a posh multistage design to cover its actions. The tactic used to breach networks continues to be unknown; as soon as deployed, the primary stage abuses DLL sideloading to execute the CLRLoader malware in reminiscence. The CLRLoader module is then used to execute the second-stage DLL module (PNGLoader), which extracts particular bytes hidden inside PNG picture recordsdata. These bytes are used to assemble two executable recordsdata.

The steganography approach utilized by Worok is named least significant bit encoding, which hides small parts of the malicious code within the “lowest bits” inside particular pixels within the picture that may be recovered later.

The primary payload hidden with this methodology is a PowerShell script for which neither ESET nor Avast have been in a position to acquire a pattern but. The second payload is a customized information-stealing and backdoor module named DropBoxControl, a routine written in .NET C#, designed to obtain distant instructions from a compromised Dropbox account.

DropBoxControl can execute many – and doubtlessly harmful – actions, together with the power to run the “cmd /c” command with given parameters, launch executable binary recordsdata, obtain knowledge from Dropbox to the contaminated (Home windows) system, delete knowledge on the system, exfiltrate system info or recordsdata from a particular listing, and extra.

Whereas analysts are nonetheless placing all of the items collectively, the Avast investigation confirms that Worok is a customized operation designed to steal knowledge, spy, and compromise high-level victims in particular areas of the world.


Leave a Reply

Your email address will not be published. Required fields are marked *