Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
Follow Us on Social
Worok malware makes the rounds by deploying multi-level malware designed to steal data and compromise high-profile victims such as government entities in the Middle East, Southeast Asia, and South Africa, while hiding portions of the final payload in simple PNG images without raising alarms.
Worok probably uses DLL sideloading to execute the CLRLoader malware loader into memory, according to evidence from compromised machines. It starts by exploiting DLL sideloading to execute the CLRLoader malware in memory. Afterwards, the CLRLoader module is used to execute the second-level DLL module (PNGLoader), which extracts certain bytes hidden in PNG image files. These bytes are used to merge two executable files.
The first payload that is hidden by this method is a PowerShell script for which neither ESET nor Avast has an example. The second payload is a custom module called DropBoxControl that steals information and is controlled by a back door. It is a NET C # routine designed to receive remote commands from a compromised Dropbox account.
Worok’s steganography technique is known as the least significant bit coding and hides small pieces of malicious code in the lowest bits of certain pixels in the image, which can be recovered later.
The codes of these threat actors are known as the least significant bit (LSB) encoding, and they embed small chunks of malicious code in the pixels of the image while appearing normal when opened in an image viewer.
The DropBoxControl malware included in the PNG images supports commands such as running “cmd/c” with the given parameters, running an executable program with given parameters, downloading data from DropBox to the device, uploading data from the device to DropBox, deleting data on the victim’s system, renaming data on the victim’s system, exfiltrating file information from a defined directory, setting up a new backdoor directory, exfiltrating system information, and updating the backdoor configuration.
The sources for this piece include an article in BleepingComputer.
TALK TO A CYBERSECURITY EXPERT
Stay updated with the latest news and announcements from TuxCare.com
ESET researchers discovered an ongoing campaign by the Bahamut APT...
A memory leak bug on Local Security Authority Subsystem Service...
After discovering malicious behaviors in 1,652 of 250,000 unverified Linux...
Despite fixes released by the chipmaker, a set of five...
The APT group DefrayX has launched a new version of...
DuckDuckGo, a privacy-focused search engine, has added an App Tracking...