Worok Hides Backdoor Behind PNG Steganography
A recently identified cyberespionage gang, named Worok, was found hiding malware in seemingly harmless files. ESET researchers, in their new report, have detailed the killchain and the use of PNG steganography for payload delivery by the threat actor.
Diving into details
The attack campaign has been conducting cyberespionage campaigns against governments and high-profile organizations in the Middle East, Central and South Asia, and Africa, since 2020.
- Worok uses DLL side-loading, after gaining access, to execute the CLRLoad malware.
- CLRLoad deploys PNGLoad that comes in two variants: either a PowerShell script or a .NET C#-based payload. PNG files belonging to the second variant, which distributed a C# malware embedded via steganography.
- Actors use a new info-stealer, dubbed DropBoxControl, which uses a DropBox account for C2 communication.
- DropBoxControl has already affected organizations and government institutions in Mexico, Vietnam, and Cambodia.
Motive – Espionage
- DropBoxControl can execute arbitrary commands, rename and delete files, download and upload files, pilfer system metadata, capture file information, and eavesdrop on network communications.
- Researchers have, furthermore, added that DropBoxControl is most likely written by a different developer than PNGLoad and CLRLoad due to differences in code quality.
- The delivery of the third-stage payload as a file harvester indicates that Worok is focused on gathering intelligence, apart from extending the killchain.
More on the campaign
- Worok has launched attacks against telecoms, banking, energy, maritime, public, and government sectors.
- The availability of some of the tools used by Worok is pretty low in the wild. Besides, it uses publicly-available tools, such as Mimikatz, PowerShell, EarthWorm, and NBTScan, for reconnaissance.
The bottom line
The steganographically embedded DropBoxControl confirms that Worok is a cyberespionage gang. It exfiltrates data via the DropBox account registered on active Gmail accounts. While the initial compromise still remains unknown, the next stage foundings are expected to help researchers defend against the threat.
Resource : https://cyware.com/news/worok-hides-backdoor-behind-png-steganography-6fce422e