Worok Malware

A recently discovered cyber espionage group dubbed Worok has been found hiding malware in seemingly innocuous image files, corroborating a crucial link in the threat actor's infection chain.

Czech cybersecurity firm Avast said the purpose of the PNG files is to conceal a payload that's used to facilitate information theft.

"What is noteworthy is data collection from victims' machines using Dropbox repository, as well as attackers using Dropbox API for communication with the final stage," the company said.

The development comes a little over two months after ESET disclosed details of attacks carried out by Worok against high-profile companies and local governments located in Asia and Africa. Worok is believed to share tactical overlaps with a Chinese threat actor tracked as TA428.


The Slovak cybersecurity company also documented Worok's compromise sequence, which makes use of a C++-based loader called CLRLoad to pave the way for an unknown PowerShell script embedded within PNG images, a technique known as steganography.

That said, the initial attack vector remains unknown as yet, although certain intrusions have entailed the use of ProxyShell vulnerabilities in Microsoft Exchange Server to deploy the malware.

Avast's findings show that the adversarial collective makes use of DLL side-loading upon gaining initial access to execute the CLRLoad malware, but not before performing lateral movement across the infected environment.

CLRLoad Malware Loader

PNGLoad, which is launched by CLRLoad (or alternatively another first-stage called PowHeartBeat), is said to come in two variants, each responsible for decoding the malicious code within the image to launch either a PowerShell script or a .NET C#-based payload.

The PowerShell script has continued to be elusive, although the cybersecurity company noted it was able to flag a few PNG files belonging to the second category that dispensed a steganographically embedded C# malware.

"At first glance, the PNG pictures look innocent, like a fluffy cloud," Avast said. "In this specific case, the PNG files are located in C:\Program Files\Internet Explorer, so the picture does not attract attention because Internet Explorer has a similar theme."

This new malware, codenamed DropboxControl, is an information-stealing implant that uses a Dropbox account for command-and-control, enabling the threat actor to upload and download files to specific folders as well as run commands present in a certain file.


Some of the notable commands include the ability to execute arbitrary executables, download and upload data, delete and rename files, capture file information, sniff network communications, and exfiltrate system metadata.

Companies and government institutions in Cambodia, Vietnam, and Mexico are few of the prominent countries affected by DropboxControl, Avast said, adding the authors of the malware are likely different from those behind CLRLoad and PNGLoad owing to "significantly different code quality of these payloads."

Regardless, the deployment of the third-stage implant as a tool to harvest files of interest clearly indicates the intelligence-gathering objectives of Worok, not to mention serves to illustrate an extension to its killchain.

"The prevalence of Worok's tools in the wild is low, so it can indicate that the toolset is an APT project focusing on high-profile entities in private and public sectors in Asia, Africa, and North America," the researchers concluded.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.