• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
worok hackers abuse dropbox api to exfiltrate data via backdoor

Worok Hackers Abuse Dropbox API to Exfiltrate Data via Backdoor Hidden in Images

You are here: Home / General Cyber Security News / Worok Hackers Abuse Dropbox API to Exfiltrate Data via Backdoor Hidden in Images
November 14, 2022

A a short while ago learned cyber espionage team dubbed Worok has been located hiding malware in seemingly innocuous picture files, corroborating a important website link in the threat actor’s an infection chain.

Czech cybersecurity firm Avast mentioned the purpose of the PNG documents is to conceal a payload that’s made use of to aid information theft.

“What is noteworthy is facts selection from victims’ devices employing DropBox repository, as well as attackers applying DropBox API for interaction with the closing phase,” the organization mentioned.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


The development comes a little over two months just after ESET disclosed information of attacks carried out by Worok from high-profile organizations and regional governments situated in Asia and Africa. Worok is thought to share tactical overlaps with a Chinese danger actor tracked as TA428.

The Slovak cybersecurity firm also documented Worok’s compromise sequence, which tends to make use of a C++-centered loader identified as CLRLoad to pave the way for an unfamiliar PowerShell script embedded inside of PNG photographs, a procedure regarded as steganography.

That explained, the first attack vector continues to be mysterious as still, whilst certain intrusions have entailed the use of ProxyShell vulnerabilities in Microsoft Exchange Server to deploy the malware.

Avast’s conclusions present that the adversarial collective can make use of DLL side-loading upon getting original access to execute the CLRLoad malware, but not just before undertaking lateral movement throughout the contaminated setting.

CLRLoad Malware Loader

PNGLoad, which is launched by CLRLoad (or alternatively yet another to start with-phase known as PowHeartBeat), is claimed to arrive in two variants, just about every accountable for decoding the malicious code inside the impression to launch possibly a PowerShell script or a .NET C#-centered payload.

The PowerShell script has continued to be elusive, whilst the cybersecurity firm famous it was able to flag a handful of PNG documents belonging to the 2nd category that dispensed a steganographically embedded C# malware.

“At very first look, the PNG images seem innocent, like a fluffy cloud,” Avast claimed. “In this particular scenario, the PNG data files are situated in C:Application FilesInternet Explorer, so the photo does not draw in focus because Internet Explorer has a similar concept.”

This new malware, dubbed DropBoxControl, is an information and facts-stealing implant that uses a Dropbox account for command-and-control, enabling the risk actor to add and download information to precise folders as effectively as run commands current in a certain file.

CyberSecurity

Some of the noteworthy commands contain the potential to execute arbitrary executables, down load and upload data, delete and rename data files, capture file info, sniff network communications, and exfiltrate method metadata.

Corporations and federal government institutions in Cambodia, Vietnam, and Mexico are few of the prominent nations afflicted by DropBoxControl, Avast explained, including the authors of the malware are likely distinct from those people behind CLRLoad and PNGLoad owing to “significantly distinctive code excellent of these payloads.”

No matter, the deployment of the 3rd-stage implant as a software to harvest documents of desire obviously signifies the intelligence-gathering objectives of Worok, not to point out serves to illustrate an extension to its killchain.

“The prevalence of Worok’s applications in the wild is minimal, so it can suggest that the toolset is an APT job concentrating on substantial-profile entities in personal and public sectors in Asia, Africa, and North The usa,” the scientists concluded.

Observed this write-up intriguing? Comply with THN on Facebook, Twitter  and LinkedIn to read through extra exceptional content we post.


Some parts of this short article are sourced from:
thehackernews.com

Previous Post: «the rising tide of no hook phishing The rising tide of no-hook phishing
Next Post: New KmsdBot Malware Hijacking Systems for Mining Crypto and Launch DDoS Attacks new kmsdbot malware hijacking systems for mining crypto and launch»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)
  • PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution
  • Securing Data in the AI Era
  • Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively Being Exploited in the Wild
  • Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals
  • CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
  • Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting 437,000+ Downloads
  • Fake Gaming and AI Firms Push Malware on Cryptocurrency Users via Telegram and Discord
  • Four Arrested in £440M Cyber Attack on Marks & Spencer, Co-op, and Harrods
  • What Security Leaders Need to Know About AI Governance for SaaS

Copyright © TheCyberSecurity.News, All Rights Reserved.