ESET analysts have discovered the Worok cyber-espionage group, which has been active since at least 2020. These hackers mainly attack government agencies and well-known companies in Asian countries, but sometimes organizations from Africa and the Middle East become their targets.
To date, Worok has been linked to attacks on telecommunications, banking, maritime and energy companies, as well as military, government and public organizations. For example, in late 2020, Worok attacked an unnamed telecommunications company in East Asia, a bank in Central Asia, a shipping company in Southeast Asia, a government agency in the Middle East, and a private company in southern Africa, according to researchers.
Now, ESET is crediting the group with new attacks on an energy company in Central Asia and a public sector organization in Southeast Asia.
“We believe that malware operators are hunting for the information of their victims because they focus on large organizations in Asia and Africa and attack various sectors, both private and public, but place a special emphasis on government structures,” the experts write.
While hackers have occasionally used exploits for the ProxyShell issue to gain initial access to their victims’ networks, in general the initial penetration vector remains unknown for most incidents.
“As a rule, after the exploitation of vulnerabilities, web shells were loaded in order to gain a foothold in the victim’s network. The attackers then used various implants to gain additional capabilities, ”the report says.
The Worok malware toolkit includes two loaders: a C++ loader known as CLRLoad, and a C# loader called PNGLoad, which helps attackers hide payloads in PNG image files using steganography.
Although ESET experts have not yet studied the final payloads of the group, during the investigation of the attacks, they discovered a new PowerShell backdoor, which they called PowHeartBeat. Since February 2022, it has replaced CLRLoad and is now used as a tool designed to run PNGLoad on compromised systems.
PowHeartBeat has a wide range of capabilities, including manipulating files, executing commands and processes, and uploading and downloading files to or from victims’ devices.
“Although our visibility is limited for now, we hope that by shedding light on this group, we will encourage other researchers to share information about Worok,” ESET experts summarize.
According to the researchers, Worok may be associated with the Chinese hack group TA428, but experts are not yet completely sure about this.