The Worok threat group has been confirmed by Avast researchers to be leveraging PNG images as a means to conceal information-stealing malware, following earlier findings by ESET assuming such a threat vector, reports BleepingComputer.
Despite the uncertainty surrounding the approach used by Worok to facilitate network breaches, the group is believed to have utilized DLL sideloading to facilitate CLRLoader malware loader execution into memory, according to Avast. The report showed that second-stage DLL PNGLoader is being loaded by CLRLoader to enable extraction of PNG-embedded bytes to help create two executables.
Worok used the least significant bit encoding steganography technique to hide the malware within the PNG images, with PNGLoader found to contain a PowerShell script as an initial payload and a custom .NET C# information-stealer DropBoxControl. DropBoxControl enables the execution of "cmd /c," download execution, DropBox data uploads and downloads, and data deletion, renaming, and exfiltration, as well as backdoor directory creation.
Vulnerable Apache NiFi implementations are being targeted in new attacks deploying the Kinsing cryptomining malware, as indicated by the significant increase in HTTP requests for "/nifi" on May 19, according to The Hacker News.
Numerous fraudulent websites masquerading as legitimate software, including ChatGPT, Gimp, AstraChat, and Go To Meeting, have been used in a new RomCom malware campaign by Cuba ransomware affiliate Void Rabisu, also known as Tropical Scorpius, from December 2022 to April 2023, which was mostly targeted at Eastern Europe, according to BleepingComputer.
Scandinavian Airlines has been demanded to pay $3 million by the Anonymous Sudan threat operation to put an end to distributed denial-of-service attacks against the airline's websites that began in February, reports The Record, a news site by cybersecurity firm Recorded Future.