Hackers Hide IMalware in PNG Files

Experts at Avast, who built on the discoveries of ESET, the first to notice and report on the threat group known as “Worok”, conceals malware within PNG images to silently infect victims’ computers with information-stealing malware.

Reports say it targets high-profile companies and local governments in Asia. Currently, they are targeting energy companies in Central Asia and public sector entities in Southeast Asia to steal data based on the types of the attacked companies.

Worok Compromise Chain

The malware is allegedly spread by attackers using ProxyShell flaws. In a few rare instances, the ProxyShell vulnerabilities were exploited to maintain persistence within the victim’s network. 

The attackers then released their custom malicious kits using publicly accessible exploit tools. The final compromise chain is therefore simple: the first stage is CLRLoader, which executes a short piece of code to load the following stage (PNGLoader).

EHA
Worok Complete Compromise Chain

Using Steganographic Techniques 

The least-significant bit (LSB) encoding, according to experts, is one of the more widely used steganographic techniques

This technique often embeds the data in each pixel’s least important bits. In this particular approach, one pixel encodes a nibble (one bit for each alpha, red, green, and blue channel), meaning that two pixels hold a byte of secret information.

LSB on image pixels

ESET and Avast were unable to recover the PowerShell script that is the initial payload that PNGLoader extracted from those bits.

The second payload, called DropBoxControl, is a custom.NET C# info-stealer that exploits the DropBox file hosting service for C2 communication, file exfiltration, and other purposes. It is concealed behind PNG files.

https://decoded.avast.io/wp-content/uploads/sites/2/2022/11/Figure-9.-Malicious-PNG-file-with-steganographically-embedded-C-payload-1024x228.png
Malicious PNG file Containing Info-Stealer

A backdoor called ‘DropBoxControl’ uses the DropBox service to connect with the attackers. It’s noteworthy that the C&C server is a DropBox account, and all communications, including instructions, uploads, and downloads, are carried out using common files in designated folders.

Experts say DropBoxControl runs commands based on the request files after checking the DropBox folder on a regular basis.

The attackers control the backdoor through ten commands as follows:

Backdoor commands

Final Word

The C# payload (DropBoxControl), which is stenographically embedded, verifies ‘Worok’ as the cyberespionage group. Through the DropBox account linked to current Google emails, they steal data.

It is possible that Worok’s tools are an APT effort that focuses on high-profile organizations in the business and public sectors in Asia, Africa, and North America given their rarity in the wild.

Azure Active Directory Security – Download Free E-Book

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.