Posted on November 14, 2022 at 5:37 PM
Worok Threat Actors Discovered Planting Malware In PNG Files To Steal Information
Researchers at cybersecurity firm Avast, who followed up on the earlier discovery of ESET, revealed that threat actors are hiding information-stealing malware to silently infect victims’ computers.
The Malware Is Spread Through ProxyShell Bugs
According to the reports, the threat actors, known as “Worok” have been targeting local governments and high-profile companies in Asia. At the moment, they are launching attacks on public sector companies in Southeast Asia and energy companies in Central Asia. They are stealing the organizations’ data based on the type of organization and services they offer.
Reports revealed that the threat actors spread the malware through ProxyShell vulnerabilities. In some attacks, the ProxyShell flaws were exploited to maintain persistence on the targeted network.
The threat actors then used publicly accessible exploit tools to release their custom malicious kits. The last attack chain was more straightforward after they have successfully infiltrated the targeted system and gained persistence. In the first stage, they used the CLRLoader which executes a small piece of code for the PNGLoader.
Security software Could Not Notice The Hidden Info-Stealer On PNG Files
The threat actors are very familiar with Steganographic techniques, which is what was used for the exploit. In this case, they used the least-significant bit (LSB), one of the most widely used steganographic techniques, according to security experts.
Avast and ESET failed to recover the PowerShell scripts, which is the first payload extracted from those bits by PNGLoader.
The second payload is a custom.NET C# info-stealer known as DropBoxControl. It is used to exploit the services hosting DropBox for file exfiltration, C2 communication, and other purposes. The researchers revealed that the threat actors hid the info-stealer within the PNG files, making them unnoticeable by security tools.
The Threat Actors Have Strong Support From APT Groups
Steganography conceals code inside image files that seem normal when they are opened in an image viewer. The C#payload, which is embedded with steganography, is used to verify “Worok” as the cyberespionage group. They then target devices and steal data via the DropBox account linked to current Google emails.
It’s also possible that the Worok tools were designed by an APT that concentrates its attacks on high-profile targets in the business and public sectors in North America, Africa, and Asia. Researchers believe that the Worok actors are seriously backed or have strong support from ATP groups due to their rarity in the wild.
More Nation-State actors now use the Steganography Technique
Steganography has also been used for a good cause in the past. The use of steganography was documented during the tenure of UK Prime Minister Margaret Thatcher. It was deployed to identify individuals who were leaking unauthorized information to the press.
But the growing popularity of steganography means nation-state actors have also gotten involved in its use. This was evidenced in 2010 when 10 Russian SRV officers were arrested after pledging guilty to cyber espionage. But they were sent back to Russia due to an “exchange” between the US and Russia that involved the use of steganography.
As internet usage increases and the growth of multiple digital communications platforms, threat actors are increasingly leveraging steganography to plant malicious payload in their targets’ devices.
The Threat Actors Also Used DLL sideloading Technique
Researchers have also explained how the hackers deliver their malicious payload to their targets’ systems and stay undetected there. The hackers look out for trends in various internet spaces like social media. In most cases, they look for recent developments that have ignited curiosity among social media users.
Once they see information that will be trending, they create their caption and plant malicious payload on the link. Once the user eventually clicks on the link, they unknowingly download these malware-infested files that are properly hidden from security software.
After the payload downloads itself into the victim’s system, it starts wreaking havoc everywhere, looking for critical information that is stored in the computer.
Avast’s report was based on artifacts the security firm captured from Worok attacks, which confirmed ASET’s assumptions about the PNG files.
Although the method used to infiltrate the network is still unknown, Avast stated that the threat actors likely utilized the DLL sideloading technique to execute the CLRLoader malware into memory. The assumption is based on the activities the security company saw within some of the affected systems, where four DLLs that contain the CLRLoader were discovered.
