A new cyber espionage group has been discovered that is hiding malware in PNG image files. The group, which has been named Worok, is believed to be responsible for a number of attacks against high-profile targets.
As the world becomes increasingly digitized, so do the methods of those who would do us harm. More people are becoming aware of how malware is distributed, which has caused hackers to try different methods to infect your devices. In the past, hackers have primarily used malicious attachments, such as Word documents or PDF files, to spread malware. However, some hackers are changing their tactics and using something less obvious to spread malicious code. They’re hiding malware in PNG files.
According to cybersecurity company Avast, “Worok” a new cyber espionage group of hackers is now using steganographic embedding to compromise PNG files and attack high-profile companies and government agencies. PNG files are generally considered safe because they have minimal compression and are similar to the better-known JPG format. This is a worrying development, as it shows that hackers are increasingly using sophisticated methods to avoid detection and infecting victims.
Steganographic embedding is when malware is coded into an image file, and it’s tough for antivirus and anti-malware software to detect. Once a compromised file lands on a targeted device, it goes through several processes before extracting information.
Avast has observed Worok employing a complex multi-stage design in order to conceal its activities. The method used to initially breach networks is still unknown; however, once deployed, the first stage Abuse DLL side loading in order to execute the CLRLoader malware in memory. CLRLoader module is then used to load and run the second stage DLL module (PNGLoader). PNGLoader extracts specific bytes that are hidden within PNG image files. These bytes are used to assemble two executable files.
The steganography technique used by Worok is known as ‘least significant bit encoding.’ This technique hides small portions of malicious code within specific pixels in an image. The code can be later recovered by extracting the lowest bits of data within these pixels.
Worok’s motive is to steal data
The primary component of the malware is to open a backdoor to the compromised computer. Once created, hackers can run up to 10 commands on the device, including uploading data to the machine through DropBox or downloading information into the hacker’s DropBox. Additionally, they can delete any files on the device. Avast explained that stealing data is the hacker’s ultimate goal; however, while the examples discovered have been targeting governments and high-profile companies, this technique can be used to target anyone. That’s why you must be careful when dealing with seemingly harmless images.
Keeping computer safe from Worok’s PNG malware
-If you receive a text message or email with an image or attachment from an unknown sender, don’t click on it. It could be malicious and infect your device with malware; it’s best to delete the message and block the sender if you don’t know them.
-Ensure that your operating system and apps are updated; having the most recent versions of your programs means you have the latest security patches to help protect against cybersecurity threats
-Have trusted antivirus software on all of your devices; this will help protect against malware and other cybersecurity threats