Researchers discovered proof of new threat actors delivering malicious payloads via PNG files.
ESET and Avast have both confirmed that a threat actor known as Worok has been using this method as of early September 2022. Worok appears to have been active in targeting high-profile victims, like government organisations, in the Middle East, Southeast Asia, and South Africa.
Attack in multiple stages
The attack is a multi-stage process in which the threat actors use DLL sideloading to perform the CLRLoader malware, which then loads the PNGLoader DLL, which is capable of reading obfuscated code hidden in PNG files.
DropBoxControl is a C# infostealer that takes advantage of Dropbox for communication and data theft. Worok is thought to be the work of a cyberespionage group that works silently, moves laterally across target networks, and steals sensitive data. Worok appears to use its own, proprietary tools, as no one else has been observed using them.
Worok employs “least significant bit (LSB) encoding,” which embeds tiny pieces of malicious code in the pixels’ least important bits. Check Point researchers recently discovered a Trojan that seems to use an image to deliver apicolor Trojan malware.