![]() ![]() The steganography technique used by Worok is known as least significant bit encoding, which hides small portions of the malicious code in the "lowest bits" within specific pixels in the image that can be recovered later. Those bytes are used to assemble two executable files. ![]() The CLRLoader module is then used to execute the second-stage DLL module (PNGLoader), which extracts specific bytes hidden within PNG image files. The method used to breach networks is still unknown once deployed, the first stage abuses DLL sideloading to execute the CLRLoader malware in memory. ESET's knowledge into the threat's attack chain was limited, but a new analysis from Avast is now providing additional details about this operation.Īvast suggests Worok uses a complex multistage design to hide its activities. The Worok operators were targeting high-profile victims like government agencies, with a specific focus on the Middle East, Southeast Asia and South Africa. The company describes Worok as a new cyber espionage group that is using undocumented tools, including a steganography routine designed to extract a malicious payload from a plain PNG image file. The novel malware was first discovered by ESET in September. Worok is using multi-stage malware designed to steal data and compromise high-profile victims, using steganography techniques to hide pieces of the final payload in a plain PNG image file. The operation's final target, however, has been confirmed by two security firms. Worok appears to be a complex cyber-espionage operation whose individual stages are still in part a mystery. In a nutshell: Security researchers have discovered a new malware threat designed to abuse steganography techniques.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |