Cyber-Espionage Group Worok Attacks Asian Governments and Companies

Cyber-Espionage group Worok
Written by Emma Davis

ESET analysts have discovered the Worok cyber-espionage group, which has been active since at least 2020. These hackers mainly attack government agencies and well-known companies in Asian countries, but sometimes organizations from Africa and the Middle East became their targets.

Let me remind you that we also wrote that DeadRinger attack targets telecommunications companies in Southeast Asia, and also that Attackers hacked the IT systems of the Azerbaijan government.

To date, Worok has been linked to attacks on telecommunications, banking, maritime and energy companies, as well as military, government and public organizations. For example, in late 2020, Worok attacked an unnamed telecommunications company in East Asia, a bank in Central Asia, a shipping company in Southeast Asia, a government agency in the Middle East, and a private company in southern Africa, according to researchers.

Cyber-Espionage group Worok

Now, ESET is crediting the group with new attacks on an energy company in Central Asia and a public sector organization in Southeast Asia.

We believe that malware operators are hunting for the information of their victims because they focus on large organizations in Asia and Africa and attack various sectors, both private and public, but place a special emphasis on government structures.the experts write.

While hackers have occasionally used exploits for the ProxyShell issue to gain initial access to their victims’ networks, in general though the initial penetration vector remains unknown for most incidents.

As a rule, after the exploitation of vulnerabilities, web shells were loaded in order to gain a foothold in the victim’s network. The attackers then used various implants to gain additional capabilities.the report says.

The Worok malware toolkit includes two loaders: a C++ loader known as CLRLoad, and a C# loader called PNGLoad, which helps attackers hide payloads in PNG image files using steganography.

Although ESET experts have not yet studied the final payloads of the group, during the investigation of the attacks they revealed a new PowerShell backdoor, which they called PowHeartBeat. Since February 2022, it has replaced CLRLoad and is now used as a tool designed to run PNGLoad on compromised systems.

Cyber-Espionage group Worok

PowHeartBeat has a wide range of capabilities, including manipulating files, executing commands and processes, and uploading and downloading files to or from victims’ devices.

Although our visibility is limited for now, we hope that by shedding light on this group, we will encourage other researchers to share information about Worok.ESET experts summarize.

According to the researchers, Worok may be associated with the Chinese hack group TA428, but experts are not yet completely sure about this.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply