Worok hackers adopt steganography to hide malware in PNGs

November 17, 2022
Worok Hackers Threat Group Steganography Hidden Malware PNG Webpage Infostealer Data Exfiltration

The Worok hackers used steganography to hide malware inside PNG files to attack targeted machines with infostealer without raising suspicions from security defenders. This new operation was spotted by researchers investigating a compromise that happened a couple of months ago.

The researchers warned users that Worok is currently targeting high-profile entities, such as government agencies in South Africa, parts of Southeast Asia, and the Middle East. Unfortunately, their visibility to the group’s chain of attack is scarce.

Based on a further report, the researcher was able to gather additional artefacts from the Worok attack samples. They have confirmed the nature of the PNG files and added a new detail on what type of malware the actors used and what data exfiltration method they employed.

 

The Worok hackers might also use DLL sideloading to run their malware.

 

The Worok hackers’ tactic used to breach networks remain unidentified. However, some researchers believe that the actors use DLL sideloading to operate the CLRLoader malware loader into targeted memory.

This assumption from the researchers is based on the evidence from previously attacked devices, where they found four DLLs that contain the CLRLoader code.

Subsequently, the CLRLoader runs the second stage PNGLoader, which retrieves bytes embedded in the PNG archives and uses them to assemble the executables. Hence, the researchers believe that the hackers use steganography to conceal the code inside the image files that seems to be expected when accessed in an image viewer.

In addition, the Worok hackers allegedly utilised a technique called “least significant bit encoding,” which attaches small portions of the malicious code in the least essential data bits of the image’s pixels.

The second payload that hides in the PNG files is a custom dot net C# infostealer that exploits the DropBox file, a hosting service for several services such as command-and-control and file exfiltration.

This second malware, called DropBoxControl, utilises an actor-controlled DropBox account to recover data and commands or upload multiple files from the infected device. Investigations revealed that the payload keeps the commands in encrypted files on its operator’s DropBox repository that the malware frequently opens to get pending actions.

These functions imply that Worok is a cyberespionage group interested in executing stealthy data exfiltration, spying, and lateral movement on the compromised device.

About the author

Leave a Reply