"Avast Details Worok Espionage Group's Compromise Chain"

Avast researchers observed the recently discovered espionage group Worok abusing Dropbox API to exfiltrate data via a backdoor hidden in seemingly harmless image files. The experts began their investigation from an ESET analysis of attacks on organizations and local governments in Asia and Africa. Avast experts captured several PNG files containing a data-stealing payload. They stated that data is collected from victims' machines using the Dropbox repository, and attackers communicate with the final stage using Dropbox API. In highlighting the compromise chain, they revealed how attackers first deployed the first-stage malware, identified as CLRLoader, which loads the next-state payload PNGLoader. The threat actors are deploying the malicious code by exploiting Proxyshell vulnerabilities. The attackers then deploy their custom malicious tools using publicly available exploit tools. The researchers discovered two variants of PNGLoader, both of which were used to decode the malicious code hidden in the image and execute a PowerShell script or a .NET C#-based payload. The PowerShell script has remained elusive, but the cybersecurity firm noted that it was able to identify a few PNG files from the second category that contained steganographically embedded C# malware. Avast adds a third stage to the compromise chain detailed by ESET with the discovery of a .NET C# payload known as DropboxControl. DropboxControl is an information-stealing backdoor involving the use of the Dropbox service for command-and-control (C2) communication. The backdoor is capable of running arbitrary executables, downloading and uploading data, deleting and renaming files, capturing file information, sniffing network communications, and stealing metadata. The author of CLRLoader and PNGLoader did not create DropboxControl because of significant differences in the source code and its quality. This article continues to discuss details regarding the Worok espionage group's compromise chain.

Security Affairs reports "Avast Details Worok Espionage Group's Compromise Chain"

Submitted by Anonymous on