An unknown espionage group called Worok that is active since late 2020 targets high-profile businesses and municipal governments with headquarters largely in Asia.
The cyber gang, originally identified as Worok by ESET experts, also has attacked targets in the Middle East and Africa.
Worok is alleged to have parallels with another antagonistic collective known as TA428 in terms of skills and goals. TA428 has been linked to attacks against military, government, and public sector organizations, as well as telecom, banking, maritime, and energy firms.
Worok's toolkit, according to ESET researcher Thibaut Passilly, "includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that employs steganography to extract concealed malicious payloads from PNG files."
Between May 2021 and January 2022, the group's malicious operations took a significant hiatus before picking back up the following month. The Slovak cybersecurity company determined that the group's objectives were compatible with identity theft.
In certain cases, ProxyShell exploits were used to gain an initial foothold on target networks until 2021 and 2022. Additional custom backdoors were then introduced for entrenched access. Other initial compromise approaches are not yet known.
Infection chains in 2022 have now abandoned CLRLoad in favor of PowHeartBeat, a fully functional PowerShell implant that launches PNGLoad and communicates with a remote server via HTTP or ICMP to carry out associated file operations, transmit and receive files, and execute arbitrary commands.
"In such situations, webshells have often been uploaded after these vulnerabilities have been exploited on order to enable persistence in the victim's network. The operators then utilized a variety of implants to obtain more capabilities, "Passilly continued.
ESET discovered a new PowerShell backdoor called PowHeartBeat, which has replaced CLRLoad in instances recorded since February 2022 as the tool designed to launch PNGLoad on infected systems. However, it has not yet been able to recover one of the final payloads delivered in the group's attacks.
A cyber espionage organization called Worok compromises its targets using both custom-built tools and techniques that already exist.
We believe the attackers are after information theft from their victims as they target high-profile organisations in Asia and Africa, focusing on diverse sectors, both private and public, but with a particular emphasis on government entities.
