Researchers from the IB-company Avast said that the recently detected group of WOROK spreads stegyrednostic soft Confidential data.
Hackers use DLL SIDE-LOADING technology when obtaining the initial access to install the malware, which then triggers PNGLOADER. Clrloader is a DLL file that uses the DLLMAIN method to download the next stage – the .NET version of PNGLOADER.
pngloader is a bootloader that extracts bytes from a PNG file and reconstructs them into an executable code. Pngloader is a DLL file based on .NET, composed with .NET Reactor. The file description imitates the description of the legitimate software. In the studied case, the PNG files were in the “C: Program Files Internet Explorer” folder, so the image does not attract attention.
This new malware, the code name “DropboxControl” is an implant for the theft of information that uses the Dropbox account for control and control, allowing the hacker to download and download files to certain folders, as well as execute commands present in a specific file.
Some of the teams allow:
- Launch arbitrary executable files;
- download and upload data; > Analyze network connections;
- delete system metadata.
According to Avast, DropboxControl has already affected companies and state institutions in Cambodia, Vietnam, Mexico and other countries. DropboxControl deployment as a tool for collecting certain files and data representing interest for attackers clearly indicates the spy nature of Worok campaigns.