Worok Hackers Target High Profile Asian Companies And Government
High-profile companies and local governments located primarily in Asia are the subjects of targeted attacks by a previously undocumented espionage group dubbed Work that has been active since late 2020.
Worok’s toolset includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad.
This tool uses steganography to extract hidden malicious payloads from PNG files, ESET researcher Thibaut Passilly said in a new report published today.
Threat Actors Diversified Attacks On Entities
Worok is said to share overlaps in tools and interests with another adversarial collective tracked as TA428.
with the group linked to attacks against entities spanning the energy, financial, maritime, and telecom sectors in Asia, as well as a government agency in the Middle East and a private firm in southern Africa.
Malicious activities undertaken by the group experienced a noticeable break from May 2021 to January 2022, before resuming the next month. The Slovak cybersecurity firm assessed the group’s goals to be aligned with information theft.
The initial foothold to target networks through 2021 and 2022 entailed the use of ProxyShell exploits in select instances. Furthermore, it was followed by deploying additional custom backdoors for entrenched access. Other initial compromise routes are unknown as of yet.
Picky Threat Actors Only Attacks The High-Profiled
Among the tools In Worok’s malware arsenal is a first-stage loader called CLRLoad, which is succeeded by a NET-based steganographic loader codenamed PNGLoad that’s capable of executing an unknown PowerShell script embedded in a PNG image file.
Infection chains in 2022 have since dropped CLRLoad in favor of a fully-featured PowerShell implant referred to as PowHeartBeat that’s subsequently used to launch PNGLoad.
In addition to communicating with a remote server via HTTP or ICMP to execute arbitrary commands, send and receive files, and carry out related file operations. ESET said it was unable to retrieve any of the final-stage PNG payloads.
Although, it’s suspected that the malware could be concealed in valid, innocuous-looking PNG images and therefore hidden in plain sight without attracting attention. Worok is a cyber espionage group that develops its tools, as well as leverages existing tools, to compromise its targets, Passilly said.
Stealing information from their victims is what we believe the operators are after because they focus on high-profile entities in Asia and Africa. Notably, targeting various sectors, both private and public, but with a specific emphasis on government entities.