Wednesday, June 19, 2024

Hackers Hide Information-Stealing Malware in PNG Files Using Steganography

Experts at Avast, who built on the discoveries of ESET, the first to notice and report on the threat group known as “Worok”, conceals malware within PNG images to silently infect victims’ computers with information-stealing malware.

Reports say it targets high-profile companies and local governments in Asia. Currently, they are targeting energy companies in Central Asia and public sector entities in Southeast Asia to steal data based on the types of the attacked companies.

Worok Compromise Chain

The malware is allegedly spread by attackers using ProxyShell flaws. In a few rare instances, the ProxyShell vulnerabilities were exploited to maintain persistence within the victim’s network. 

The attackers then released their custom malicious kits using publicly accessible exploit tools. The final compromise chain is therefore simple: the first stage is CLRLoader, which executes a short piece of code to load the following stage (PNGLoader).

Using Steganographic Techniques 

The least-significant bit (LSB) encoding, according to experts, is one of the more widely used steganographic techniques. 

This technique often embeds the data in each pixel’s least important bits. In this particular approach, one pixel encodes a nibble (one bit for each alpha, red, green, and blue channel), meaning that two pixels hold a byte of secret information.

ESET and Avast were unable to recover the PowerShell script that is the initial payload that PNGLoader extracted from those bits.

The second payload, called DropBoxControl, is a custom.NET C# info-stealer that exploits the DropBox file hosting service for C2 communication, file exfiltration, and other purposes. It is concealed behind PNG files.

A backdoor called ‘DropBoxControl’ uses the DropBox service to connect with the attackers. It’s noteworthy that the C&C server is a DropBox account, and all communications, including instructions, uploads, and downloads, are carried out using common files in designated folders.

Recommended:  Killnet hackers announce Russian cyber attacks on UK for standing up to Putin's war

Experts say DropBoxControl runs commands based on the request files after checking the DropBox folder on a regular basis.

The attackers control the backdoor through ten commands as follows:

Final Word

The C# payload (DropBoxControl), which is stenographically embedded, verifies ‘Worok’ as the cyberespionage group. Through the DropBox account linked to current Google emails, they steal data.

It is possible that Worok’s tools are an APT effort that focuses on high-profile organizations in the business and public sectors in Asia, Africa, and North America given their rarity in the wild.

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy



Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
ClosePlease login
Just your average information security researcher from Delaware US.
User Avatar
Latest posts by RiSec.Mitch (see all)
Recommended:  REPORT: Ukrainian Hacker Sought By US Arrested In Switzerland
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Just your average information security researcher from Delaware US.

more infosec reads

Subscribe for weekly updates