Heimdal
article featured image

Contents:

Worok, a newly discovered cyber espionage group, has been hiding malware in seemingly innocuous image files, corroborating a critical link in the threat actor’s infection chain. Worok appears to be a complex cyber-espionage operation, with individual stages that remain largely unknown. Two security firms, however, have confirmed the operation’s final target. 

How Exactly Does Worok Operate?

Worok employs multi-stage malware designed to steal data and compromise high-profile victims, concealing portions of the final payload in a plain PNG image file using steganography techniques. ESET was the first to discover the novel malware in September.

Worok operators targeted high-profile victims, such as government agencies, with a particular emphasis on the Middle East, Southeast Asia, and South Africa. ESET’s understanding of the threat’s attack chain was limited, but a new Avast analysis now provides more information about this operation.

“What is noteworthy is data collection from victims’ machines using the DropBox repository, as well as attackers communicating with the final stage using the DropBox API,” the company stated

Worok is also thought to have tactical overlaps with TA428, a Chinese threat actor.

The Slovak cybersecurity firm also documented Worok’s sequence, which uses a C++-based loader called CLRLoad to pave the way for an unknown PowerShell script embedded within PNG images, a technique known as steganography.

However, the initial attack vector is still unknown, though inevitable intrusions have used ProxyShell vulnerabilities in Microsoft Exchange Server to deploy the malware.

Details on the Attack

According to Avast, Worok employs a complex multistage design to conceal its activities. The method used to breach networks is still unknown; once deployed, the first stage takes advantage of DLL sideloading to run the CLRLoader malware in memory.

After that, the CLRLoader module runs the second-stage DLL module (PNGLoader), which extracts specific bytes hidden within PNG image files. Finally, these bytes are used to put together two executable files.

This new malware, called DropBoxControl, is a data-stealing implant that uses a Dropbox account for command and control, allowing the threat actor to upload and download files to particular folders and execute commands contained in a specific file.

Some interesting operations are the ability to run arbitrary executables, download and upload data, remove and rename files, collect file information, sniff network connections, and exfiltrate system metadata.

DropBoxControl has affected businesses and government institutions in several well-known nations, including Cambodia, Vietnam, and Mexico, according to Avast. 

Wrap Up

The malware’s creators are likely distinct from those who created CLRLoad and PNGLoad due to their “significantly different code quality,” the company added. Regardless, using the third-stage implant to gather essential files shows what Worok wants to learn and how its kill chain has been extended.

“The prevalence of Worok’s tools in the wild is low, so it can indicate that the toolset is an APT project focusing on high-profile entities in private and public sectors in Asia, Africa, and North America,” the researchers concluded. 

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics. 

Author Profile

Gabriella Antal

SMM & Corporate Communications Officer

linkedin icon

Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company's social media channels. Her contributions amplify the brand's voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE