ESET and Avast security researchers have just discovered evidence of threat actors delivering malicious code using PNG files. Both companies confirmed that a threat actor under the name “Worok” has been using this method since early September 2022.
According to the report, “Worok” has been busy targeting high-profile victims including government organizations from the Middle East, Southeast Asia, and South Africa.
The attack appears to be a multi-stage process in which the attacker executes the CLRLoader malware which loads PNGLoader DLL that is capable of reading obfuscated code that is hidden in PNG files. This malware code appears to support numerous commands including launching an executable and downloading and uploading data to and from Dropbox, running cmd /c, deleting data, and setting up new directories that can be used for backdoor payloads.
A seemingly benign package can download a PNG picture from the web and then install extra tools that process the picture and trigger the processing generated output using the exec command.
According to researchers, this malware could be the work of a cyberespionage group that is working quietly across target networks and stealing sensitive data.