Heimdal
article featured image

Contents:

Worok threat group is hiding information-stealing malware in PNG images. Using this technique, the hackers manage to infect devices without being detected.

The group was first spotted in September 2022 targeting high-profile victims from the Middle East, Southeast Asia, and South Africa.

How the Malware Works

Based on the evidence gathered about the Worok threat group, Avast’s report assumes that the hackers use DLL sideloading to execute the CLRLoader into memory to breach networks.

Next, the CLRLoader loads the second-stage DLL (PNGLoader), which extracts bytes embedded in PNG files and uses them to assemble two executables.

Source

Using steganography, Worok masks malicious code inside images that appear harmless at first look. The technique chosen is called “least significant bit (LSB) encoding” because it implies embedding small portions of code in the least significant bits from the pixels of an image.

PNGLoader first extracts from those bits a PowerShell script, then a custom .NET C# info-stealer (DropBoxControl) created to abuse the DropBox file hosting service to extract files, enable communication with the C2 server, and more.

How the DropBox Abuse Happens

An actor controlled DropBox account is used by the “DropBoxControl” malware to receive orders or to exfiltrate files from the infected device.

All the possible commands are encrypted and stored on a DropBox repository belonging to the hackers. This is repeatedly accessed by the malware to receive pending commands.

The supported commands are the following:

Run “cmd /c” with the given parameters

Launch an executable with given parameters

Download data from DropBox to the device

Upload data from the device to DropBox

Delete data on the victim’s system

Rename data on the victim’s system

Exfiltrate file info from a defined directory

Set a new directory for the backdoor

Exfiltrate system information

Update the backdoor’s configuration

Source

Looking at these commands, we can see that Worok hackers aim to do data exfiltration, lateral movement, and cyberespionage.

Also, the tools used in the attacks are not in free circulation on the Internet, so the threat group is most likely the only one who uses them.

If you liked this article, follow us on LinkedInTwitterFacebookYouTube, and Instagram for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content. A literature-born cybersecurity enthusiast (through all those SF novels…), she loves to bring her ONG, cultural, and media background to this job.

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE