A recently discovered cyber espionage group dubbed “Worok“ has been hiding malware in seemingly innocuous image files, corroborating a crucial link in the threat actor’s infection chain.
The purpose of the PNG files is to conceal a payload that’s used to facilitate information theft.
The development comes a little over two months after ESET disclosed details of attacks carried out by Worok against high-profile companies and local governments in Asia and Africa. “Worok” is believed to share tactical overlaps with a Chinese threat actor tracked as TA428.
Worok’s compromise sequence uses a C++-based loader called “CLRLoad” to pave the way for an unknown PowerShell script embedded within PNG images, a technique known as steganography.
That said, the initial attack vector remains unknown, although certain intrusions have entailed using ProxyShell vulnerabilities in Microsoft Exchange Server to deploy the malware.
It was found that the adversarial collective uses DLL side-loading upon gaining initial access to execute the CLRLoad malware but not before performing lateral movement across the infected environment.
PNGLoad, launched by CLRLoad (or alternatively another first-stage called PowHeartBeat), is said to come in two variants, each responsible for decoding the malicious code within the image to launch either a PowerShell script or a .NET C#-based payload.
The PowerShell script has continued to be elusive. However, it was able to flag a few PNG files belonging to the second category that dispensed steganographically embedded C# malware.
This new malware, dubbed DropBoxControl, is an information-stealing implant that uses a Dropbox account for command and control, enabling the threat actor to upload and download files to specific folders and run commands in a certain file.
Some notable commands include the ability to execute arbitrary executables, download and upload data, delete and rename files, capture file information, sniff network communications, and exfiltrate system metadata.
Companies and government institutions in Cambodia, Vietnam, and Mexico are a few prominent countries affected by DropBoxControl. The malware’s authors are likely different from those behind CLRLoad and PNGLoad owing to the “significantly different code quality of these payloads.
Regardless, the deployment of the third-stage implant as a tool to harvest files of interest clearly indicates the intelligence-gathering objectives of Worok, not to mention serves to illustrate an extension to its kill chain.