Hackers Hide Information-Stealing Malware in PNG Files Using Steganography
Specialists at Avast, who built on the discoveries of ESET, the first to see and yarn on the threat team identified as “Worok”, conceals malware inner PNG photography to silently infect victims’ computers with recordsdata-stealing malware.
Experiences suppose it targets excessive-profile companies and native governments in Asia. At level to, they’re targeting energy companies in Central Asia and public sector entities in Southeast Asia to steal recordsdata in step with the forms of the attacked companies.
Worok Compromise Chain
The malware is allegedly spread by attackers the utilize of ProxyShell flaws. In a few uncommon circumstances, the ProxyShell vulnerabilities were exploited to shield persistence inner the sufferer’s network.
The attackers then released their personalized malicious kits the utilize of publicly accessible exploit tools. The final compromise chain is therefore straightforward: the first stage is CLRLoader, which executes a short fragment of code to load the following stage (PNGLoader).
The utilize of Steganographic Ways
The least-critical bit (LSB) encoding, in step with consultants, is one amongst the extra broadly faded steganographic tactics.
This methodology in most cases embeds the info in every pixel’s least essential bits. In this converse methodology, one pixel encodes a nibble (one bit for every alpha, red, green, and blue channel), which formulation that two pixels shield a byte of secret recordsdata.
ESET and Avast were unable to derive smartly the PowerShell script that is the preliminary payload that PNGLoader extracted from these bits.
The 2nd payload, known as DropBoxControl, is a personalised.NET C# info-stealer that exploits the DropBox file recordsdata superhighway hosting carrier for C2 communication, file exfiltration, and other functions. It is miles hid within the assist of PNG recordsdata.
A backdoor known as ‘DropBoxControl’ makes utilize of the DropBox carrier to glue with the attackers. It’s noteworthy that the C&C server is a DropBox narrative, and all communications, including directions, uploads, and downloads, are performed the utilize of approved recordsdata in designated folders.
Specialists suppose DropBoxControl runs instructions in step with the inquire recordsdata after checking the DropBox folder in most cases.
The attackers alter the backdoor thru ten instructions as follows:
Closing Discover
The C# payload (DropBoxControl), which is stenographically embedded, verifies ‘Worok’ because the cyberespionage team. Thru the DropBox narrative linked to fresh Google emails, they steal recordsdata.
It is miles doable that Worok’s tools are an APT effort that specializes in excessive-profile organizations within the factitious and public sectors in Asia, Africa, and North The usa given their rarity within the wild.
Azure Full of life Itemizing Safety – Download Free E-Book
Source credit : cybersecuritynews.com
