Avast cybersecurity researchers have unveiled a massive espionage operation that leverages steganography techniques. Worok’s cybercriminals hide their evil code in images to steal information from their targets.
According to experts, Worok uses an extremely sophisticated spy tool. The latter was designed to exfiltrate information from the target’s computer through a PNG format file. Its code is hidden in a very normal image. This malware appeared on ESET’s radars as early as September 2022. The Stegmap software was then hiding in a Windows logo to infect the computer of its victims.
The new campaign of attacks led by Worok takes place in several phases, which helps them to pass unnoticed. Avast failed to determine which tools exactly are used, and they failed to find out how the virus manages to infiltrate the victim’s network. What they know a little better, however, is the operating mode of the malware once it is in place. Once it gains access to the targeted computer, the malware downloads a virus, the CLRLoader, pretending to be a windows dll (Dynamic Link Library).
The malware hidden in an image launches a script on computers running Windows
This virus then downloads another function library, the PNGLoader, which extracts and assembles some of the code hidden in the PNG file into an executable file. This last launches a powershell script and a backdoor receiving instructions from a remote Dropbox account.
As we can see, the process used is extremely complex. So complex even that in the opinion of experts, this campaign is an operation sponsored by a government or a state entity. At first glance, Worok’s targets are senior officials based in countries in the Middle East, South Africa and South East Asia. Ordinary citizens can a priori continue to use their computers. We still recommend that you be wary of attachments from unverified sources.
Source : Bleeping Computer