Malicious emails typically contain links to websites where a malware payload is hosted. This method of malware distribution allows threat actors to reach employees directly, and since no malicious file is attached to the email, there is a greater chance that the message will not be detected as malicious by a company’s email security solution, especially if the URL or domain has not previously been used before. Advanced email security solutions – such as SpamTitan Plus – rewrite links, follow the URLs, and assess the content, and can block these threats.

Malicious files are often directly attached to emails. These files can be the malware itself or a malware downloader, but these executable files are often blocked by spam filters. Office documents and spreadsheets are often used that contain macros. If they are allowed to run, they will download the malicious payload. More companies are now providing security awareness training to their workforces and are warning about the risks of macros, and Microsoft is now disabling macros by default in Office files that are downloaded from untrusted sources via the Internet, so this method of malware delivery is becoming less effective.

In response, threat actors have had to come up with different ways of distributing their malware and one method that is growing in popularity is steganography – a technique used to hide secret data within an ordinary, non-secret file, such as an image file. When that file arrives at its destination, the secret data is extracted. To make this method of hiding content harder to identify, the hidden data is often encrypted and is decrypted at its destination. Steganography is not a new technique, as its roots can be traced back to ancient Greece, and it is also not a new method of distributing malicious code; however, using this technique for distributing malware has not proved popular with threat actors are there are much easier ways of distributing malware.

Recently a campaign has been identified that hides malicious code within .png files. Researchers At Check Point Research recently identified a malicious package called apicolor on the Python-based repository PyPl, which hides malicious code within a .png file, which downloads malicious packages onto the user’s device. This campaign uses a steganography technique called least-significant bit (LSB) encoding, where malicious code is hidden in each pixel’s least important bits. One pixel includes one bit of data for each alpha, red, green, and blue channel, allowing two pixels to contain one byte of secret code.

This attack uses DLL sideloading to execute CLRoader malware, which loads the PNGLoader DLL, which is able to read obfuscated code hidden within .png files. The code is a custom .NET C# infostealer that abuses Dropbox file hosting for communication and data exfiltration. The analysis of the malware revealed it can launch executable files, download and upload data to and from Dropbox, delete data on endpoints, set up new directories for additional backdoor payloads, and extract system information.

This method of malware delivery has been adopted by a threat actor called Worok, which is mostly concerned with targeting high-profile individuals in the Middle East, Southeast Asia, and South Africa and has been used by Worok since at least September 2022. Worok is believed to be part of a cyberespionage group; however, other threat actors could use this technique for a variety of nefarious purposes.