Tech Support
Documentation
Login
Contact Us
Worok, the malware that hides in PNG image files
November 24, 2022 - TuxCare PR Team
Worok malware makes the rounds by deploying multi-level malware designed to steal data and compromise high-profile victims such as government entities in the Middle East, Southeast Asia, and South Africa, while hiding portions of the final payload in simple PNG images without raising alarms.
Worok probably uses DLL sideloading to execute the CLRLoader malware loader into memory, according to evidence from compromised machines. It starts by exploiting DLL sideloading to execute the CLRLoader malware in memory. Afterwards, the CLRLoader module is used to execute the second-level DLL module (PNGLoader), which extracts certain bytes hidden in PNG image files. These bytes are used to merge two executable files.
The first payload that is hidden by this method is a PowerShell script for which neither ESET nor Avast has an example. The second payload is a custom module called DropBoxControl that steals information and is controlled by a back door. It is a NET C # routine designed to receive remote commands from a compromised Dropbox account.
Worok’s steganography technique is known as the least significant bit coding and hides small pieces of malicious code in the lowest bits of certain pixels in the image, which can be recovered later.
The codes of these threat actors are known as the least significant bit (LSB) encoding, and they embed small chunks of malicious code in the pixels of the image while appearing normal when opened in an image viewer.
The DropBoxControl malware included in the PNG images supports commands such as running “cmd/c” with the given parameters, running an executable program with given parameters, downloading data from DropBox to the device, uploading data from the device to DropBox, deleting data on the victim’s system, renaming data on the victim’s system, exfiltrating file information from a defined directory, setting up a new backdoor directory, exfiltrating system information, and updating the backdoor configuration.
The sources for this piece include an article in BleepingComputer.
