Researchers have recently become aware of a threat group, dubbed “Worok”. They are hiding malware inside of PNG files as the method for infecting victims’ computers. This was confirmed by anti-malware software company Avast, that used the results of analysis performed by ESET to identify this method of delivery.

The news that Worok was active as a threat group first broke in September 2022, as ESET raised the alarm that the group was targeting a number of high-profile entities across South Africa, Southeast Asia, and the Middle East. ESET admitted at the time that their visibility into the group’s activities was limited.

Avast examined additional artifacts that it had obtained during analysis of the threat actor’s activities, which confirmed ESET’s guesses regarding the PNG files being the source of malware delivered to target systems, which led to data exfiltration from victim’s systems.

The exact method used to breach networks, unfortunately, is not yet precisely known; still, Avast stated that it believes that Worok is most likely relying on DLL sideloading as a means for executing CLRLoader to load malware into systems’ memory. Avast bases this claim on evidence obtained from compromised machines, which Avast assessed and found four DLLs that contained CLRLoader code.

Once it is able to execute, CLRLoader loads a stage two DLL by the name of PNGLoader, by which bytes embedded in PNG files are extracted and used to assemble two executable files.

Long known to be a technique used for various clandestine activities, steganography is defined as “the concealing of data inside image files that appear normal when opened in an image viewer.”

Avast believes that Worok uses a mechanism named "least significant bit (LSB) encoding," by which small chunks of malicious code are embedded in whichever are the least noticeable sections of the pixels in an image file.

LSB on image pixels Source: Avast

A Powershell script—that neither threat research group was able to successfully retrieve—is the first payload extracted from a malicious image file, while the second payload is a custom .NET C# info-stealer known as DropBoxControl that takes advantage of the commonly used file hosting solution, DropBox, as its command and control channel for data exfiltration, communications, and anything else the attackers wish to do.

Below is what the second payload’s image file looks like when examined with the human eye:

A PNG image file containing the info-stealer Source: Avast

The threat actors use their own DropBox account to receive data from the DropBoxControl malware and to issue commands or submit files to be uploaded to the target machine. Any commands issued are stored in files in the attacker’s DropBox repository in an encrypted state, while the malware is programmed to periodically access those files to obtain its instructions.

Form of DropBox files, TaskType is command Source: Avast

That Worok is specifically using these mechanisms points to espionage as the most likely motivation for the group, which can use the aforementioned functionality to stealthily copy data from the victims’ networks, or expand their foothold within the network, or perform other activities while avoiding detection by many of the common defensive measures employed across organizations.