Meet Worok, the cyber espionage group hiding malware within PNG image files
In a nutshell: Security researchers have found a new malware danger created to abuse steganography procedures. Worok appears to be a intricate cyber-espionage operation whose particular person stages are still in aspect a secret. The operation’s closing goal, nonetheless, has been verified by two protection companies.
Worok is applying multi-phase malware developed to steal facts and compromise superior-profile victims, employing steganography tactics to conceal items of the closing payload in a plain PNG image file. The novel malware was very first identified by ESET in September.
The organization describes Worok as a new cyber espionage team that is applying undocumented instruments, together with a steganography regime designed to extract a destructive payload from a basic PNG graphic file. A copy of mentioned picture is revealed beneath.
The Worok operators have been focusing on high-profile victims like federal government businesses, with a precise emphasis on the Middle East, Southeast Asia and South Africa. ESET’s know-how into the threat’s attack chain was minimal, but a new assessment from Avast is now giving additional specifics about this operation.
Avast indicates Worok utilizes a complicated multistage design to conceal its actions. The system utilized to breach networks is still not known once deployed, the initially phase abuses DLL sideloading to execute the CLRLoader malware in memory. The CLRLoader module is then employed to execute the 2nd-stage DLL module (PNGLoader), which extracts specific bytes concealed in just PNG impression documents. Those bytes are used to assemble two executable files.
The steganography method used by Worok is recognized as the very least significant little bit encoding, which hides tiny parts of the destructive code in the “cheapest bits” within just certain pixels in the graphic that can be recovered later.
The initial payload concealed with this method is a PowerShell script for which neither ESET nor Avast have been in a position to get hold of a sample however. The 2nd payload is a custom made facts-stealing and backdoor module named DropBoxControl, a regimen penned in .Internet C#, developed to obtain distant instructions from a compromised Dropbox account.
DropBoxControl can execute several – and possibly unsafe – steps, together with the capacity to operate the “cmd /c” command with specified parameters, launch executable binary documents, download info from Dropbox to the infected (Home windows) product, delete data on the process, exfiltrate technique information or data files from a particular directory, and far more.
Although analysts are even now putting all the pieces collectively, the Avast investigation confirms that Worok is a tailor made operation built to steal details, spy, and compromise higher-degree victims in unique regions of the entire world.
