Experts at Avast, who built on the discoveries of ESET, the first to notice and report on the threat group known as “Worok”, conceals malware within PNG images to silently infect victims’ computers with information-stealing malware.
Reports say it targets high-profile companies and local governments in Asia. Currently, they are targeting energy companies in Central Asia and public sector entities in Southeast Asia to steal data based on the types of the attacked companies.
Worok Compromise Chain
The malware is allegedly spread by attackers using ProxyShell flaws. In a few rare instances, the ProxyShell vulnerabilities were exploited to maintain persistence within the victim’s network.
The attackers then released their custom malicious kits using publicly accessible exploit tools. The final compromise chain is therefore simple: the first stage is CLRLoader, which executes a short piece of code to load the following stage (PNGLoader).
Using Steganographic Techniques
The least-significant bit (LSB) encoding, according to experts, is one of the more widely used steganographic techniques.
This technique often embeds the data in each pixel’s least important bits. In this particular approach, one pixel encodes a nibble (one bit for each alpha, red, green, and blue channel), meaning that two pixels hold a byte of secret information.
ESET and Avast were unable to recover the PowerShell script that is the initial payload that PNGLoader extracted from those bits.
The second payload, called DropBoxControl, is a custom.NET C# info-stealer that exploits the DropBox file hosting service for C2 communication, file exfiltration, and other purposes. It is concealed behind PNG files.
A backdoor called ‘DropBoxControl’ uses the DropBox service to connect with the attackers. It’s noteworthy that the C&C server is a DropBox account, and all communications, including instructions, uploads, and downloads, are carried out using common files in designated folders.
Experts say DropBoxControl runs commands based on the request files after checking the DropBox folder on a regular basis.
The attackers control the backdoor through ten commands as follows:
The C# payload (DropBoxControl), which is stenographically embedded, verifies ‘Worok’ as the cyberespionage group. Through the DropBox account linked to current Google emails, they steal data.
It is possible that Worok’s tools are an APT effort that focuses on high-profile organizations in the business and public sectors in Asia, Africa, and North America given their rarity in the wild.
Azure Active Directory Security – Download Free E-Book