Worok hackers are spreading malware via PNG images

AH Privacy Data Breach Hackers 26

According to Bleeping Computer, Worok hackers are now hiding malware in PNG images to target users and government entities in the Middle East, Southeast Asia, and South Africa. The hackers are using the steganography method.

The malware hidden in a PNG file can reportedly steal the victim’s device data without raising any alarm. Until now, Avast and ESET researchers have confirmed that Worok hackers are trying to target users with information-stealing malware. However, high-profile victims are at greater risk. Avast research reveals more details about the Worok attackers’ work.

Worok hackers hide malware in PNG files

As per the Avast report, the attackers are likely using the DLL sideloading to execute the CLRLoader malware loader into memory. However, it’s yet unknown what methods hackers use to breach networks. These details are obtained from infected devices where Avast’s researchers found four DLLs with CLRLoader code.


In the next step, CLRLoader should load a second-stage DLL (PNGLoader). The PNGLoader extracts bytes embedded in PNG files to assemble executables. Everything seems normal in the image viewers, but that PNG file is actually stealing data from the device. This method is called Steganography, and victims will never know of it.

According to Avast researchers, Worok hackers are using the “least significant bit (LSB)” encoding technique. In this technique, small chunks of the malicious codes are embedded in the least important bits of the image’s pixels.

There are two payloads extracted from those bits by PNGLoader, the first is a PowerShell script, and the second is a custom .NET C# info-stealer (DropBoxControl). The second payload abuses the DropBox file hosting service for C2 communication, file exfiltration, and more. Additionally, the DropBoxControl malware can receive data and commands or upload files from the victim’s device through an actor-controlled DropBox account. These commands are stored in encrypted files in the actor’s DropBox repository, and malware can access them periodically.