top of page

Worok: The big picture

ocused mostly on Asia, this new cyberespionage group uses undocumented tools, including steganographically extracting PowerShell payloads from PNG files. Worok’s toolset includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that uses steganography to extract hidden malicious payloads from PNG files.


ATT&CK IDS: T1027 - Obfuscated Files or Information, T1105 - Ingress Tool Transfer, T1049 - System Network Connections Discovery, T1030 - Data Transfer Size Limits, T1106 - Native API, T1547 - Boot or Logon Autostart Execution, T1104 - Multi-Stage Channels, T1001 - Data Obfuscation, T1003 - OS Credential Dumping, T1005 - Data from Local System, T1036 - Masquerading, T1041 - Exfiltration Over C2 Channel, T1046 - Network Service Scanning, T1059 - Command and Scripting Interpreter, T1071 - Application Layer Protocol, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1090 - Proxy, T1095 - Non-Application Layer Protocol, T1124 - System Time Discovery, T1132 - Data Encoding, T1140 - Deobfuscate/Decode Files or Information, T1505 - Server Software Component, T1560 - Archive Collected Data, T1573 - Encrypted Channel, T1583 - Acquire Infrastructure, T1587 - Develop Capabilities, T1588 - Obtain Capabilities, T1590 - Gather Victim Network Information, T1592 - Gather Victim Host Information

Read More:

1 view


Commenting has been turned off.
bottom of page