Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Steganography. Show all posts

Worok Cyber Espionage Group Employs Malicious PNG Images to Propagate Malware

 

Cybersecurity researchers have unearthed new malware threats manufactured to exploit steganography methodologies. Worok seems to be a complex cyber-espionage operation whose individual stages are still unknown. The campaign's final stage, however, has been identified by two cybersecurity firms.

Worok employs multi-stage malware created to siphon data and target high-profile victims, using steganography ways to conceal parts of the payloads in a plain PNG image file. The new malware was first uncovered by ESET in September. 

The researchers described Worok as a new cyber spying group that employs undocumented tools, including a steganography methodology designed to exfiltrate a malicious payload from a plain PNG image file. 

The cyber espionage group targeted high-profile victims like government agencies, particularly in the Middle East, Southeast Asia, and South Africa. ESET's knowledge of the trouble's attack chain was limited, but the latest report from Avast has provided fresh details regarding this malicious campaign.

According to the Czech security firm, Worok employs a complex multistage design to conceal its activities. The hackers employ sideloading to execute the CLRLoader malware which, in turn, implements the PNGLoader DLL, capable of reading obfuscated code masking in PNG files. 

That code translates to DropBoxControl, a custom .NET C# infostealer that abuses Dropbox file hosting for communication and data theft. The info stealer can support multiple commands, including running cmd /c, launching an executable, downloading and uploading data, deleting and renaming files, capturing file information, spy network communications, and extracting metadata. 

While researchers are still trying to put all the pieces together, the latest report from Avast confirms that Worok is a custom operation manufactured to siphon data, spy, and target high- victims in specific parts of the globe. 

“The key finding of this research is the interception of the PNG files, as predicted by ESET. The stenographically embedded C# payload (DropBoxControl) confirms Worok as the cyberespionage group. They steal data via the DropBox account registered on active Google emails,” Researchers at AVAST explained. “The prevalence of Worok’s tools in the wild is low, so it can indicate that the toolset is an APT project focusing on high-profile entities in private and public sectors in Asia, Africa, and North America.”

Cybersecurity Researchers Discovered Attack Which Uses WAV Audio Files to Hide Malicious Code


We are living in an age where user security being breached is one of the most familiar headlines we come across in the cybersecurity sphere, attackers have continued to discover unprecedented ways to compromise user data and have strengthened the older ones.

A widely used technique which allows hackers to break into computers and extract user data without getting noticed is resurfacing again, this time making the detention even more complex by embedding the malware inside audio files resembling the regular WAV format audio files on the computer, according to the cybersecurity researchers at Cylance, a California based software company that develops antivirus programs and other software to prevent malware.

Hackers employed a method known as ‘Steganography’ to hide and deliver malware, it involves hiding a file, video or message with the help of some other file. Researchers at Cylance discovered the malicious code embedded inside the WAV audio files with each file containing a ‘loader component’ which decodes and executes the malware. The threat actors carry out these malicious activities using a crypto mining application known as XMRig Monero CPU Miner.

Although, hackers have used viruses and spyware to infect files and break into computers previously, this is the first time ever where a file has been explicitly used to deliver a crypto mining software into a system. Cybercriminals are always looking to undo the measures taken by security officials. It is evident from how they are now employing even sophisticated strategies as earlier, the only way to deliver crypto mining malware was through malicious scripts on browsers, websites or software programs that came with malware.

Referencing from the statements given by Josh Lemos, VP of Research and Intelligence at BlackBerry Cylance, to Help Net Security.  “One WAV file contained music with no indication of distortion or corruption and the others contained white noise. One of the WAV files contained Meterpreter to establish a reverse-shell to have remote access into the infected machine. The other WAV files contain the XMRig Monero crypto-miner,”

“Attackers are creative in their approach to executing code, including the use of multiple files of different file formats. We discovered several loaders in the wild that extract and execute malicious code from WAV audio files. Analysis revealed that the malware authors used a combination of steganography and other encoding techniques to deobfuscate and execute code” the researchers at Cylance pointed out.

“The similarities between these methods and known threat actor TTPs may indicate an association or willingness to emulate adversary activity, perhaps to avoid direct attribution,” the researchers further remarked.

In order to stay guarded, users are advised to have proper anti-virus tools installed on their computers and stay alert while downloading any kind of file from the internet.

New Steganography method TranSteg hides Data in VoIP(IP Telephony)

Researchers from Warsaw University of Technology, Institute of Telecommunications find a new Steganography method that helps to hide the Data in VoIP(IP Telephony).  The method is named as "TranSteg((Transcoding Steganography)". 

Voice over IP (VoIP), or IP telephony, is one of the services of the IP world that is changing the entire telecommunication’s landscape. It is a real-time service, which enables users to make phone calls through data networks that use an IP protocol.
Steganography encompasses various information hiding techniques, whose aim is to embed a secret message(steganogram) into a carrier (image,audio,video). Steganographic methods are aimed at hiding of the very existence of the communication, therefore any third-party observers should remain unaware of the presence of the steganographic exchange.


In TranSteg it is the overt data that is compressed to make space for the steganogram. The main innovation of TranSteg is to, for a chosen voice stream, find a codec that will result in a similar voice quality but smaller voice payload size than the originally selected. Then, the voice stream is transcoded. At this step the original voice payload size is intentionally unaltered and the change of the codec is not indicated. Instead, after placing the transcoded voice payload, the remaining free space is filled with hidden data. TranSteg proof of concept implementation was designed and developed.

TranSteg detection is difficult to perform when performing inspection in a single network localisation.