More malware is being hidden in PNG images, so watch out

Researchers have found evidence of new threat actors using PNG files to deliver malicious payloads.

Both ESET and Avast have confirmed seeing a threat actor going by the name Worok using this method since early September 2022.

Apparently, Worok has been busy targeting high-profile victims, such as government organizations, across the Middle East, Southeast Asia, and South Africa. 

Multi-staged attack

The attack is a multi-stage process, in which the threat actors use DLL sideloading to execute the CLRLoader malware which, in turn, loads the PNGLoader DLL, capable of reading obfuscated code hiding in PNG files. 

That code translates to DropBoxControl, a custom .NET C# infostealer that abuses Dropbox file hosting for communication and data theft. This malware seems to support numerous commands, including running cmd /c, launching an executable, downloading and uploading data to and from Dropbox, deleting data from target endpoints, setting up new directories (for additional backdoor payloads), and extracting system information.

Original tools

Given its toolkit, the researchers believe Worok to be the work of a cyberespionage group that works quietly, likes to move laterally across target networks, and steal sensitive data. It also seems to be using its own, proprietary tools, as the researchers haven’t observed them being used by anyone else. 

Worok uses “least significant bit (LSB) encoding”, embedding tiny pieces of malicious code in the least important bits of the image’s pixels, it was said. 

Steganography appears to be growing increasingly popular as a cybercrime tactic. In a similar vein researchers from Check Point Research (CPR) recently found a malicious package on the Python-based repository PyPI that uses an image to deliver a Trojan malware called apicolor, largely using GitHub as a distribution method.

The  seemingly benign package downloads a picture from the web, and then installs extra tools that process the picture, and then trigger the processing generated output using the exec command. 

One of those two requirements is the judyb code, a steganography module capable of revealing hidden messages within pictures. That led the researchers back to the original picture which, it turns out, downloads malicious packages from the web to the victim's endpoint.

Via: BleepingComputer



from TechRadar - All the latest technology news https://ift.tt/9T3etDz
Share:

No comments:

Post a Comment

Categories

Rove Reviews Youtube Channel

  1. Subscribe to our youtube channel
  2. Like our videos and share them too.
  3. Our youtube channel name Rove reviews.

WITNUX

This website is made by Witnux LLC. This website provides you with all the news feeds related to technology from large tech media industries like GSM Arena, NDTV, Gadgets 360, Firstpost and many other such ates altogether at technical depicts so that you need not go to several sites to view their post provide you advantantage of time.

From the developer
Tanzeel Sarwar

OUR OTHER NETWORKS

OUR YOUTUBE CHANNEL

ROVE REVIEWS PLEASE SUBSCRIBE

OUR FACEBOOK PAGE

The Rove Reviews

Support

Trying our best to provide you the best DONATE or SUPPORTour site Contact me with details how are you gonna help us