What enemy is the most invincible, and what attack is the most unavoidable? Worok, a formidable adversary in malware, has given us the answer – an enemy disguised in front of you, and an attack exposed under your nose – unawares to you and crush on you most.
Since its emergence at the end of 2020, we have found that it mainly operates in Asia, targeting well-known companies and local governments, with a preference for telecommunications, banking, maritime, energy, military, and other fields. Its orientation is like that of TA428, which is more familiar. However, there are still differences in their modus operandi – through steganography to extract malicious payloads hidden in PNG files, Worok is better at camouflage. Breaking down defenses without detection and extracting data in an imposing manner are its specialty.
This February, after a six-month hiatus, the upgraded version of Worok returned to the scene. And only recently have we begun to peer into several parts of its attack chain, identifying its “protective color.”
Let’s start with a quick review of Worok’s M.O.: The ProxyShell vulnerability was exploited to gain access, followed by the deployment of common detection tools, including Mimikatz, EarthWorm, ReGeorg, and NBTscan. Then comes the last and most crucial link in the attack chain – the installation of customized programs that can be divided into two stages:
- The first stage, get PNGLoad. In 2021, this was performed by CLRLoad (a C++ loader); in 2022, it is mostly performed by PowHeartBeat (a PowerShell backdoor). What causes the replacement is the change of the PNGLoad’s payload location. When it was in the legal directory of the disk in the form of DLL files, CLRLoad decodes the whole directory, scans the files one by one, and then uses a mutex to check its running status. When the payload is in the remote C&C server, PowHeartBeat goes through two layers of decryption and decompression to obtain encrypted data and commands, then communicates with the C&C server via HTTP or ICMP, receives the payload and returns backdoor entrance.
Compared to CLRLoad, PowHeartBeat obfuscates various techniques to evade detection more easily, which is a remarkable improvement for Worok – a massive pity for us that we haven’t been able to find any direct code of PNGLoad after this.
- The second stage, load PNG files with malicious information. This is performed by PNGLoad (a C# loader). After obfuscation by .NET Reactor, PNGLoad also disguises itself as a legitimate .NET executable on compromised systems.
Then it traverses the backdoor using its MainPath property to look for all files with a ‘.png’ extension, finding the steganographic content in each file and checking: First, obtain the least significant bits of the R (red), G (green), B (blue) and A (alpha) values of each pixel and assemble them into a buffer. Second, if the first 8 bytes of the area match the magic number, and the next 8 bytes of the control value is not empty, then the check is passed. Finally, the remainder can be multi-byte XOR decrypted, and gzip decompressed with the key in the PNGLoad SecretKeyBytes property, resulting in a malicious PowerShell script that runs immediately.
We haven’t been able to get the ‘.png’ files used with PNGLoad. All the same, from the information we already have, these files are likely mixed in with others of their type. And to camouflage secretly, Worok uses bitmap objects in C#, which only gets pixel information from the file, not metadata, which means that Worok can hide its malicious payload in a valid, innocent -looking PNG image in plain sight.
So far, although our research on Worok is not super in-depth, according to its trajectory, we can strengthen security in the following ways:
- Management of file uplink and downlink
- Confidentiality of file information such as path, length, creation time, access times, and content
- Restrictions on file delete, rename and move permissions
We hope that in the near future, we can grasp more valuable and more critical information to break through this enemy’s invincibility, and make “Worok” no longer “work.”