
"To hide the malicious payload, Worok uses Bitmap objects in C#, which only take pixel information from files, not the file metadata. png file used along with PNGLoad, but the way PNGLoad operates suggests that it should work with valid PNG files," Passilly wrote. "We have not been able to obtain a sample.
#Chinese espionage group deploys windows systems code
"That code is loaded from a file located on disk in a legitimate directory, presumably to mislead victims or incident responders into thinking it is legitimate software" by using steganograpahy, he wrote. Initially that was CLRLoad, a generic Window PE that is written in C++ and loads the next stage, PNGLoad, which must be a Common Language Runtime (CLR) assembly DLL file. Then the group deploys its custom malware, including a first-stage loader. Once in, the Worok operators use a variety of publicly available tools, such as Mimikatz, EarthWorm, ReGerog, and NBTscan, for reconnaissance, according to Passilly. In those cases, webshells were uploaded after exploiting the vulnerabilities to ensure persistence in the compromised networks. It's unknown in most cases how the espionage group gains initial access into victims' networks, although there are some instances in 20 where the ProxyShell flaws were exploited.

There then was a pause in Worok's activity from May 2021 to January before it returned with attacks on an energy company in Central Asia and a public sector entity in Southeast Asia.
