Avast details Worok spy group’s compromise chain

Cyber-espionage group Worok abused the Dropbox API to exfiltrate data by using a backdoor hidden in seemingly innocuous image files.

Researchers at cybersecurity firm Avast have observed the recently discovered spy group Worok abusing the Dropbox API to exfiltrate data by using a backdoor hidden in seemingly innocuous image files.

The experts’ investigation began with an analysis published by ESET of attacks against organizations and local governments in Asia and Africa. Avast experts were able to capture several PNG files embedding data-stealing payloads. They point out that the data collection from the victim machine uses the DropBox repository and the attackers use the DropBox API to communicate with the final stage.

Avast experts revealed the compromise chain, detailing how the attackers initially deployed the first-stage malware. Tracked as CLRLoader, which loads the next state payload PNGLoader.

“PNGLoader is a loader that extracts bytes from a PNG file and reconstructs it into executable code. PNGLoader is a .NET DLL file obfuscated using .NET Reactor; the file description provides Legitimate software.” Read the report published by Avast. “Deobfuscated PNGLoader code includes entry point (Setfilter) called by CLRLoader.”

Presumably, the malicious code was deployed by threat actors exploiting the Proxyshell vulnerability. The attackers then used publicly available exploit tools to deploy their custom malicious tools.

Experts discovered two variants of PNGLoad, both of which are used to decode malicious code hidden in images and run PowerShell scripts or .NET C#-based payloads.

The PowerShell script has been elusive, although the cybersecurity firm noted that it was able to flag some PNG files belonging to the second category, which distribute steganographically embedded C# malware.

“At first glance, a PNG image looks innocent, like a fluffy cloud,” says Avast.

Extending the compromise chain detailed by ESET, Avast discovered a .NET C# payload that they tracked as DropBoxControl, which represents the third stage.


DropboxControl is an information-stealing backdoor that abuses the DropBox service for C2 communication.

“It is worth noting that the C&C server is a DropBox account and the entire communication (such as commands, uploads and downloads) is performed using regular files in specific folders. Therefore, backdoor commands are represented as files with defined extensions. DropBoxControl periodically checks the DropBox folder and executes commands based on the requested file.” Continued report. “The response of each command is also uploaded to the DropBox folder as a result file.”

The backdoor can run arbitrary executables, download and upload data, delete and rename files, capture file information, sniff network communications, and exfiltrate metadata.

According to Avast, DropboxControl was not developed by the authors of CLRLoad and PNGLoad due to major differences in the source code and its quality.

“The main finding of this research is the interception of PNG files, as predicted by ESET. The shorthand embedded C# payload (DropBoxControl) confirms that Worok is a cyber-espionage group. They steal through DropBox accounts registered in active Google emails data.” Summary AVAST. “The low prevalence of the Worok tools in the wild suggests that the toolset is an APT project focused on well-known entities in the private and public sectors in Asia, Africa, and North America.”

Follow me on Twitter: @securityaffairs and Facebook and mastodon

Pierluigi Paganini

(security affairs Hacking, Worok)

Leave a Reply

Your email address will not be published. Required fields are marked *