Most internet users are familiar with malicious browser extensions and other software, but what if malware makers started hiding their creations inside PNG images? Well, it turns out, based on reports from ESET and Avast that this is happening.

Since September 2016, a threat actor has been using this method to get malware on users' computers. It's called Worok-lite which is the name of the newest iteration of the second stage payload that is inserted in a PNG image.

The first part, Worok, was the payload used in 2016 to exploit the WannaCry vulnerability, one of the most serious cyberattacks in history. It's believed that this attack was facilitated by North Korea. After going through several iterations and rebranding efforts, it appears that the group has returned with a new version of an old infection vector. The last iteration has returned with a vengeance.

It was found back in December 2018 when ESET detected an unusual executable file, which turned out to be malware dubbed LokiBot. All variations include the ability to steal passwords by intercepting network traffic (HTTPS) in browsers or web-mail applications.

‍

Source: More malware is being hidden in PNG images, so watch out (msn.com)