Cyber-Espionage Group Worok Attacks Asian Governments and Companies

ESET analysts have discovered the Worok cyber-espionage group, which has been active since at least 2020. These hackers mainly attack government agencies and well-known companies in Asian countries, but sometimes organizations from Africa and the Middle East became their targets.

To date, Worok has been linked to attacks on telecommunications, banking, maritime and energy companies, as well as military, government and public organizations. For example, in late 2020, Worok attacked an unnamed telecommunications company in East Asia, a bank in Central Asia, a shipping company in Southeast Asia, a government agency in the Middle East, and a private company in southern Africa, according to researchers.

Now, ESET is crediting the group with new attacks on an energy company in Central Asia and a public sector organization in Southeast Asia.

While hackers have occasionally used exploits for the ProxyShell issue to gain initial access to their victims’ networks, in general though the initial penetration vector remains unknown for most incidents.

The Worok malware toolkit includes two loaders: a C++ loader known as CLRLoad, and a C# loader called PNGLoad, which helps attackers hide payloads in PNG image files using steganography.

Although ESET experts have not yet studied the final payloads of the group, during the investigation of the attacks they revealed a new PowerShell backdoor, which they called PowHeartBeat. Since February 2022, it has replaced CLRLoad and is now used as a tool designed to run PNGLoad on compromised systems.

PowHeartBeat has a wide range of capabilities, including manipulating files, executing commands and processes, and uploading and downloading files to or from victims’ devices.

According to the researchers, Worok may be associated with the Chinese hack group TA428, but experts are not yet completely sure about this.