Hackers Hiding Malware Behind The PNG Images Using Steganography

The Worok threat infects victims’ computers with information-stealing malware by concealing malware within PNG images with the help of the Steganography technique, which makes it very difficult to detect by malware scanners.

The finding has substantiated one of the most crucial links in the chain of infection of the threat actor as claimed by the experts at Avast. These malicious PNG images are used by threat actors to conceal a payload that facilitates information theft under the guise of being an image.

In the past couple of months, ESET has been revealing details of attacks that Worok has been launching against several high-profile companies and local government agencies in the following regions:-

  • Middle East
  • Southeast Asia
  • South Africa

There are tactical overlaps between Worok and a Chinese threat actor known as TA428 that is believed to be sharing similar tactics.

Compromise Chain

Steganography is a technique that hides scripts within PNG images, such as the compromise series of Worok, which utilizes a C++-based loader which is known as “CLRLoad.”

As of right now, we do not know what vector was used in the initial attack. As part of certain intrusions, the malware was also deployed on Microsoft Exchange Server by exploiting the ProxyShell vulnerability.

A custom malicious kit was then deployed by the attackers using publicly available exploit tools that were available for free. Therefore, the final compromise chain can be summarized as follows:- 

First, CLRLoader is implemented, where simple code is implemented to load the PNGLoader, which is the second stage in the process.

In order to decode the malicious code possessed within the image, the PNGLoad comes in two different variants. While doing so, they launch either the following payloads:-

  • PowerShell script
  • .NET C#-based

It has been difficult for PowerShell to find the script and they have recently discovered a new malware called DropboxControl, which is spyware that steals information from the system. Provide the threat actor with the ability to upload, download, and run commands contained in specific files.

Malware in PNG Files

When a viewer of an image is opened to view the steganographic code within it, it appears as if the image file is normal.

An image was encoded in a way that allows malicious code to be embedded in the least significant bits of each pixel in the image using a technique known as “least significant bit” (LSB) encoding.

No matter how the third-stage implant is deployed, it is clear that Worok has intelligence-gathering objectives that go beyond simply harvesting files of interest.

Worok attacks have been prompted by tools that are not circulating in the wild. Therefore, it’s likely that these tools are used by the group themselves exclusively to conduct attacks.

Indicators of Compromise

PNG file with steganographically embedded C# payload

29A195C5FF1759C010F697DC8F8876541651A77A7B5867F4E160FD8620415977
9E1C5FF23CD1B192235F79990D54E6F72ADBFE29D20797BA7A44A12C72D33B86
AF2907FC02028AC84B1AF8E65367502B5D9AF665AE32405C3311E5597C9C2774

DropBoxControl

1413090EAA0C2DAFA33C291EEB973A83DEB5CBD07D466AFAF5A7AD943197D726

Also Read: The Next-Generation Secure Web Gateway (SWG) – What You Need To Know?

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …

14 hours ago

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…

14 hours ago

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…

15 hours ago

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought…

16 hours ago

Careto – A legendary Threat Group Targets Windows By Deploy Microphone Recorder And Steal Files

Recent research has linked a series of cyberattacks to The Mask group, as one notable…

16 hours ago

RiseLoader Attack Windows By Employed A VMProtect To Drop Multiple Malware Families

RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol…

16 hours ago