Worok hackers hide new malware in PNGs using steganography

A threat group tracked as 'Worok' hides malware within PNG images to infect victims' machines with information-stealing malware without raising alarms.

This has been confirmed by researchers at Avast, who built upon the findings of ESET, the first to spot and report on Worok's activity in early September 2022.

ESET warned that Worok targeted high-profile victims, including government entities in the Middle East, Southeast Asia, and South Africa, but their visibility into the group's attack chain was limited. 

Avast's report is based on additional artifacts the company captured from Worok attacks, confirming ESET's assumptions about the nature of the PNG files and adding new information on the type of malware payloads and the data exfiltration method.

Hiding malware in PNG files

While the method used to breach networks remains unknown, Avast believes Worok likely uses DLL sideloading to execute the CLRLoader malware loader into memory.

This is based on evidence from compromised machines, where Avast's researchers found four DLLs containing the CLRLoader code.

Next, the CLRLoader loads the second-stage DLL (PNGLoader), which extracts bytes embedded in PNG files and uses them to assemble two executables.

Hiding payload in PNGs

Steganography is concealing code inside image files that appear normal when opened in an image viewer.

In the case of Worok, Avast says the threat actors used a technique called "least significant bit (LSB) encoding," which embeds small chunks of the malicious code in the least important bits of the image's pixels.

The first payload extracted from those bits by PNGLoader is a PowerShell script that neither ESET nor Avast could retrieve.

The second payload hiding in the PNG files is a custom .NET C# info-stealer (DropBoxControl) that abuses the DropBox file hosting service for C2 communication, file exfiltration, and more.

The PNG image containing the second payload is the following:

DropBox abuse

The 'DropBoxControl' malware uses an actor-controlled DropBox account to receive data and commands or upload files from the compromised machine.

The commands are stored in encrypted files on the threat actor's DropBox repository that the malware accesses periodically to retrieve pending actions.​

The supported commands are the following:

• Run "cmd /c" with the given parameters
• Launch an executable with given parameters
• Download data from DropBox to the device
• Upload data from the device to DropBox
• Delete data on the victim's system
• Rename data on the victim’s system
• Exfiltrate file info from a defined directory
• Set a new directory for the backdoor
• Exfiltrate system information
• Update the backdoor’s configuration

These functions indicate that Worok is a cyberespionage group interested in stealthy data exfiltration, lateral movement, and spying on the infected device.

Avast comments that the tools sampled from Worok attacks aren't circulating in the wild, so they're likely used exclusively by the threat group.