Worok backdoor concealed in PNG images

The Worok threat group has been confirmed by Avast researchers to be leveraging PNG images as a means to conceal information-stealing malware, following earlier findings by ESET assuming such a threat vector, reports BleepingComputer. Despite the uncertainty surrounding the approach used by Worok to facilitate network breaches, the group is believed to have utilized DLL sideloading to facilitate CLRLoader malware loader execution into memory, according to Avast. The report showed that second-stage DLL PNGLoader is being loaded by CLRLoader to enable extraction of PNG-embedded bytes to help create two executables. Worok used the least significant bit encoding steganography technique to hide the malware within the PNG images, with PNGLoader found to contain a PowerShell script as an initial payload and a custom .NET C# information-stealer DropBoxControl. DropBoxControl enables the execution of "cmd /c," download execution, DropBox data uploads and downloads, and data deletion, renaming, and exfiltration, as well as backdoor directory creation.