Experts at Avast, who built on the discoveries of ESET, the first to notice and report on the threat group known as “Worok”, conceals malware within PNG images to silently infect victims’ computers with information-stealing malware.
Reports say it targets high-profile companies and local governments in Asia. Currently, they are targeting energy companies in Central Asia and public sector entities in Southeast Asia to steal data based on the types of the attacked companies.
The malware is allegedly spread by attackers using ProxyShell flaws. In a few rare instances, the ProxyShell vulnerabilities were exploited to maintain persistence within the victim’s network.
The attackers then released their custom malicious kits using publicly accessible exploit tools. The final compromise chain is therefore simple: the first stage is CLRLoader, which executes a short piece of code to load the following stage (PNGLoader).
The least-significant bit (LSB) encoding, according to experts, is one of the more widely used steganographic techniques.
This technique often embeds the data in each pixel’s least important bits. In this particular approach, one pixel encodes a nibble (one bit for each alpha, red, green, and blue channel), meaning that two pixels hold a byte of secret information.
ESET and Avast were unable to recover the PowerShell script that is the initial payload that PNGLoader extracted from those bits.
The second payload, called DropBoxControl, is a custom.NET C# info-stealer that exploits the DropBox file hosting service for C2 communication, file exfiltration, and other purposes. It is concealed behind PNG files.
A backdoor called ‘DropBoxControl’ uses the DropBox service to connect with the attackers. It’s noteworthy that the C&C server is a DropBox account, and all communications, including instructions, uploads, and downloads, are carried out using common files in designated folders.
Experts say DropBoxControl runs commands based on the request files after checking the DropBox folder on a regular basis.
The attackers control the backdoor through ten commands as follows:
The C# payload (DropBoxControl), which is stenographically embedded, verifies ‘Worok’ as the cyberespionage group. Through the DropBox account linked to current Google emails, they steal data.
It is possible that Worok’s tools are an APT effort that focuses on high-profile organizations in the business and public sectors in Asia, Africa, and North America given their rarity in the wild.
Suggest an edit to this article
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
This post was last modified on 13 November 2022 11:16 PM
British high street chain WH Smith has recently revealed that it was hit by a…
As banks worldwide roll out Voice ID as a means of user authentication over the…
In the era of digital transformation, cybersecurity has become a major concern for businesses. When…
In today's digital age, cybersecurity threats have become a significant concern for businesses of all…
The RIG Exploit Kit is currently in the midst of its most productive phase, attempting…
One of the most transformational technologies of our time, artificial intelligence (AI), has quickly come…
Leave a Comment