A new cyber espionage group called Worok has been revealed by the security company ESET and it is targeting companies and governments in the Middle East and Asia
The researchers of the information security company ESET recently discovered targeted attacks that used undocumented tools against high-profile companies and local governments, mainly in Asia but also in the Middle East and Africa. These attacks were carried out by an unknown cyber espionage group, which ESET named Worok. According to ESET’s telemetry data, Worok has been operating since at least 2020 and continues to operate to this day. Among the targets were companies from the fields of communications, banking, maritime, energy, government and the public sector. In some cases, the Worok group used the infamous ProxyShell exploits to gain initial access.
“We believe that the malicious operators are looking for information from their victims. We came to this conclusion following their focus on high profiles in Asia and Africa, who belong to different sectors – both private and public with a significant position in government purposes,” notes Thibaut Passey, an ESET researcher who discovered the Worok group.
Already at the end of 2020, the Worok group attacked governments and companies in many countries, including:
· Communication company in East Asia
· Bank in Central Asia
· Marine industry company in Southeast Asia
· Government entity in the Middle East
· A private company in South Africa
Between May 2021 and January 2022 there was a significant break in observed operations, but the group’s activity returned in February 2022 and was directed against:
· An energy company in Central Asia
· Public sector entity in Southeast Asia
The Worok Group is a cyber espionage group that develops its own tools and uses existing tools to hack its targets. The group’s special toolbox includes two loaders, CLRLoad and PNGLoad, and a backdoor called PowHeartBeat.
Illustration. Photo: Ansplash.
CLRLoad is an early stage loader that was used in 2021, but was replaced by PowHeartBeat in 2022 in most cases. PNGLoad is a second-stage loader that uses steganography to reconstruct malicious files hidden in PNG image files.
PowHeartBeat is a multi-option backdoor written in PowerShell and disguised using various techniques such as compression, encoding and encryption. This backdoor has diverse capabilities, including controlling/running processes and downloading and uploading files. For example, it is able to upload files to and download files from hacked computers; to send information about a file such as its path, its length, its creation time, the times it was accessed and its content, to the control and control server; and delete files, change their name and location.
“Although at this stage we cannot see a significant part of the group’s activity, we hope that turning the spotlight on it will encourage more researchers to share information about this group,” adds Passey.
For more technical information about Worok Group, you can visit the full blog article – “Worok Group: The Big Picture”.