Select Page

A recently discovered cyber espionage group dubbed Worok has been found hiding malware in seemingly innocuous image files, corroborating a crucial link in the threat actor’s infection chain.

Czech cybersecurity firm Avast said the purpose of the PNG files is to conceal a payload that’s used to facilitate information theft.

“What is noteworthy is data collection from victims’ machines using Dropbox repository, as well as attackers using Dropbox API for communication with the final stage,” the company said.

The development comes a little over two months after ESET disclosed details of attacks carried out by Worok against high-profile companies and local governments located in Asia and Africa. Worok is believed to share tactical overlaps with a Chinese threat actor tracked as TA428.

The Slovak cybersecurity company also documented Worok’s compromise sequence, which makes use of a C++-based loader called CLRLoad to pave the way for an unknown PowerShell script embedded within PNG images, a technique known as steganography.

That said, the initial attack vector remains unknown as yet, although certain intrusions have entailed the use of ProxyShell vulnerabilities in Microsoft Exchange Server to deploy the malware.

images from Hacker News