Worok Hackers Use Steganography to Hide New Malware from PNGs

Avast’s report was based on additional artifacts captured by Worok attacks. It confirms ESET’s assumptions regarding the nature of PNG files and adds new information about the malware payload and data exfiltration methods.

Hidden malware in PNG files

Although the exact method of breaching networks is unknown, Avast thinks Worok uses DLL sideloading for the CLRLoader malware loading into memory.

This conclusion is based upon evidence from compromised machines where Avast’s research found four DLLs that contained the CLRLoader Code.

The CLRLoader then loads the second-stage DLL, PNGLoader. This extracts bytes from PNG files and uses them for assembling two executables.

The hidden payload in PNGs

Steganography refers to hiding code in image files so that they appear normal when opened with an image viewer.

Worok was the victim of a “least significant bit” (LSB) encryption attack. This embeds small pieces of malicious code within the most important pixels of an image.

The PowerShell script is the first payload that PNGLoader extracts from these bits. This was not possible with ESET or Avast.

The second payload hidden in the PNG files is custom.NET C# information-stealer (DropBoxControl), which abuses DropBox file hosting to facilitate file exfiltration and C2 communication.

DropBox abuse

DropBoxControl malware uses an actor-controlled DropBox account for data, commands and uploads from the compromised computer.

The malware periodically accesses the DropBox repository to retrieve any pending actions and stores the commands in encrypted files.

These functions suggest that Worok is an international cyberespionage group. They are interested in stealthy data extortion, lateral movement and spying on infected devices.

Avast says that tools taken from Worok attacks don’t circulate in the wild so they are likely to be used only by the threat group.