Threat Group Named Worok Performs Espionage Activities With Backdoors Hidden Inside Image Files

A recently discovered cyber spy group called Worok has been found to hide malware in image files. PNG files’ purpose is to hide a malicious payload used to facilitate information theft.

Avast discovered that Worok used a C++-based Payload called CLRLoad to pave the way for a PowerShell script embedded in PNG images, using a cloaking technique known as steganography. The findings show that the threat actor applied DLL Injection after gaining initial access to execute the CLRLoad malware.

Used in the attack chain, Malware called DropboxControl uses a Dropbox account for command and control (C&C) and captures data by allowing the threat actor to download/upload/run files to specific folders. Private companies and government agencies operating in locations such as Cambodia, Vietnam, and Mexico are among the countries affected by DropboxControl.

Figure 1: Extended compromise chain Source: Avast
Figure 1: Extended compromise chain Source: Avast
Avast confirmed the Worok findings of ESET researchers and contributed to the expansion of the attack chain.

The tools used by Worok, which capture data through Dropbox accounts registered in active Google e-mails, are not very common; It is considered to be an APT project focused on high-profile organizations in the private and public sectors in Asia, Africa and North America.

As a precaution against targeted cyber attacks;

  • E-Mails, attachments, and links from suspicious parties should not be respected,
  • Files or programs should be downloaded from reliable sources,
  • The most up-to-date versions of existing systems/programs should be used,
  • It is recommended to block IoC findings related to the attack campaign by security solutions.

Share This: