ESET researchers have discovered a previously unknown cyber-espionage group they call Worok. Worok attacks several high-profile companies from telecommunications, banking, shipping, energy, the military, government agencies and the public sector. Its targets are mainly located in Asia, the Middle East and Africa.

Worok uses both existing and proprietary tools to achieve its goals. The group is also known to use infamous ProxyShell vulnerabilities to gain first access in some cases. The PowerShell backdoor they use, PowHeartBeat, has several capabilities including executing commands/processes, uploading and downloading files.

ESET researchers recently discovered targeted attacks using undocumented tools against several leading companies and local governments in Asia, the Middle East and Africa. These attacks were carried out by a previously unknown cyber-espionage group ESET called Worok. According to ESET telemetry, Worok has been active since at least 2020 and remains active today. The targets include several high-profile companies from telecommunications, banking, shipping, energy, the military, government agencies and the public sector. Worok can also use infamous ProxyShell vulnerabilities to gain first access in some cases.

Mainly focuses on companies and governments in Asia

ESET researcher Thibaut Passilly, who discovered Worok, said: “Malware operators targeting various sectors, both private and public, especially government organizations, target leading organizations in Asia and Africa, so they are among the victims . We think they’re after information.”

At the end of 2020, Worok targeted many different governments and companies, including: a telecommunications company in East Asia, a bank in Central Asia, a shipping company in Southeast Asia, a government agency in the Middle East, a private company in Africa. The activities tracked from May 2021 to January 2022 saw a significant break in Worok’s actions, but in February 2022 the group returned to its focus with the following objectives: an energy company in East Asia, a government agency in Southeast Asia .

Worok, a cyber-espionage group developing its own tools, also uses existing tools to achieve its goals. The group’s custom toolkit includes two loaders called CLRLoad and PNGLoad, and a backdoor called PowHeartBeat. CLRLoad is a first-stage charger that was used in 2021, but was replaced by PowHeartBeat in most cases in 2022. PNGLoad is also a second-stage loader that uses steganography to recreate malicious payloads hidden in PNG images.

PowHeartBeat, on the other hand, is a full featured backdoor written in PowerShell, hidden using various techniques such as compression, encryption, and encryption. This backdoor has several capabilities, including command/process execution and file manipulation. For example, it can upload and download files from compromised machines; can send file information such as path, length, creation time, access times, and content back to the command and control server; and can perform actions such as deleting, renaming and moving files.

Source: (BYZHA) – Beyaz News Agency