Researchers have found evidence of new threat actors using PNG files to deliver malicious payloads.
Both ESET and Avast have confirmed that they have seen a threat actor named Worok using this method since early September 2022.
Apparently, Worok has been busy targeting high-profile victims, such as government organizations, in the Middle East, Southeast Asia, and South Africa.
The attack is a multi-stage process, where the threat actors use DLL sideloading to run the CLRLoader malware, which in turn loads the PNGLoader DLL, which is able to read obfuscated code hidden in PNG files. files.
That code translates to DropBoxControl, a custom .NET C# infostealer that exploits Dropbox file hosting for communications and data theft. This malware appears to support numerous commands, including running cmd /c, launching an executable file, downloading and uploading data to and from Dropbox, deleting data from target endpoints, creating new directories (for additional backdoor payloads) and extracting system information.
Given the toolkit, the researchers believe that Worok is the work of a cyber-espionage group that works quietly, likes to move sideways across target networks and steal sensitive data. It also appears to use its own proprietary tools, as the researchers did not observe them being used by anyone else.
Worok uses “least significant bit (LSB) encoding,” where tiny bits of malicious code are embedded in the least important bits of the image’s pixels, it said.
Steganography seems to be gaining popularity as a cybercrime tactic. In a similar vein, researchers at Check Point Research (CPR) recently found a malicious package on the Python-based repository PyPI that uses an image to deliver a trojan malware (opens in new tab) called apicolor, largely using GitHub as the distribution method.
The seemingly benign package downloads an image from the web and then installs additional tools that process the image and then activate the output generated by the processing using the exec command.
One of those two requirements is the judyb code, a steganography module that can reveal hidden messages in images. That led the researchers back to the original image which, it turns out, downloads malicious packets from the internet to the victim’s endpoint. (opens in new tab).
Via: BleepingComputer (opens in new tab)