Meet Worok, the cyber espionage group hiding malware within PNG image files

Security researchers have discovered a new malware threat designed to abuse steganography techniques. Worok appears to be a complex cyber-espionage operation whose individual stages are still in part a mystery. The operation’s final target, however, has been confirmed by two security firms.

Worok is using multi-stage malware designed to steal data and compromise high-profile victims, using steganography techniques to hide pieces of the final payload in a plain PNG image file. The novel malware was first discovered by ESET in September.

The company describes Worok as a new cyber espionage group that is using undocumented tools, including a steganography routine designed to extract a malicious payload from a plain PNG image file.

The Worok operators were targeting high-profile victims like government agencies, with a specific focus on the Middle East, Southeast Asia and South Africa. ESET’s knowledge into the threat’s attack chain was limited, but a new analysis from Avast is now providing additional details about this operation.

Avast suggests Worok uses a complex multistage design to hide its activities. The method used to breach networks is still unknown; once deployed, the first stage abuses DLL sideloading to execute the CLRLoader malware in memory. The CLRLoader module is then used to execute the second-stage DLL module (PNGLoader), which extracts specific bytes hidden within PNG image files. Those bytes are used to assemble two executable files.

The steganography technique used by Worok is known as least significant bit encoding, which hides small portions of the malicious code in the “lowest bits” within specific pixels in the image that can be recovered later.

The first payload hidden with this method is a PowerShell script for which neither ESET nor Avast have been able to obtain a sample yet. The second payload is a custom information-stealing and backdoor module named DropBoxControl, a routine written in .NET C#, designed to receive remote commands from a compromised Dropbox account.

DropBoxControl can execute many – and potentially dangerous – actions, including the ability to run the “cmd /c” command with given parameters, launch executable binary files, download data from Dropbox to the infected (Windows) device, delete data on the system, exfiltrate system information or files from a specific directory, and more.

While analysts are still putting all the pieces together, the Avast investigation confirms that Worok is a custom operation designed to steal data, spy, and compromise high-level victims in specific regions of the world.