More malware is being hidden in PNG images, so watch out

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

Researchers have found evidence of new threat actors using PNG files to deliver malicious payloads.

Both ESET and Avast have confirmed seeing a threat actor going by the name Worok using this method since early September 2022.

Apparently, Worok has been busy targeting high-profile victims, such as government organizations, across the Middle East, Southeast Asia, and South Africa. 

Multi-staged attack

The attack is a multi-stage process, in which the threat actors use DLL sideloading to execute the CLRLoader malware which, in turn, loads the PNGLoader DLL, capable of reading obfuscated code hiding in PNG files. 

That code translates to DropBoxControl, a custom .NET C# infostealer that abuses Dropbox file hosting for communication and data theft. This malware seems to support numerous commands, including running cmd /c, launching an executable, downloading and uploading data to and from Dropbox, deleting data from target endpoints, setting up new directories (for additional backdoor payloads), and extracting system information.

Original tools

Given its toolkit, the researchers believe Worok to be the work of a cyberespionage group that works quietly, likes to move laterally across target networks, and steal sensitive data. It also seems to be using its own, proprietary tools, as the researchers haven’t observed them being used by anyone else. 

Worok uses “least significant bit (LSB) encoding”, embedding tiny pieces of malicious code in the least important bits of the image’s pixels, it was said. 

Steganography appears to be growing increasingly popular as a cybercrime tactic. In a similar vein researchers from Check Point Research (CPR) recently found a malicious package on the Python-based repository PyPI that uses an image to deliver a Trojan malware called apicolor, largely using GitHub as a distribution method.

The  seemingly benign package downloads a picture from the web, and then installs extra tools that process the picture, and then trigger the processing generated output using the exec command. 

One of those two requirements is the judyb code, a steganography module capable of revealing hidden messages within pictures. That led the researchers back to the original picture which, it turns out, downloads malicious packages from the web to the victim's endpoint.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.