ESET Research uncovers new cyberespionage group Worok targeting companies, governments mostly in Asia
Created: 2022-09-14 08:05:59
- ESET researchers have discovered a previously unknown cyberespionage group that they named Worok.
- Worok has attacked various high-profile companies from the telecommunications, banking, maritime, energy, military, government, and public sectors. The targets are located mostly in Asia, but also in the Middle East and Africa.
- Worok develops its own tools and leverages existing tools to compromise its targets. The group has used the infamous ProxyShell vulnerabilities to gain initial access in some cases. Its PowerShell backdoor PowHeartBeat has various capabilities, including command/process execution and uploading and downloading files.
BRATISLAVA, MONTREAL — SEPTEMBER 6, 2022 — ESET researchers recently discovered targeted attacks that used undocumented tools against various high-profile companies and local governments mostly in Asia, but also in the Middle East and Africa. These attacks were conducted by a previously unknown cyberespionage group that ESET has named Worok. According to ESET telemetry, Worok has been active since at least 2020 and continues to be active today. Among the targets were companies from the telecommunications, banking, maritime, energy, military, government, and public sectors. Worok used the infamous ProxyShell vulnerabilities to gain initial access in some cases.
“We believe the malware operators are after information from their victims because they focus on high-profile entities in Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities,” says ESET researcher Thibaut Passilly who discovered Worok.
Back in late 2020, Worok was targeting governments and companies in multiple countries, specifically:
• A telecommunications company in East Asia
• A bank in Central Asia
• A maritime industry company in Southeast Asia
• A government entity in the Middle East
• A private company in southern Africa
There was a significant break in observed operations from May 2021 to January 2022, but Worok activity returned in February 2022, targeting:
• An energy company in Central Asia
• A public sector entity in Southeast Asia
Worok is a cyberespionage group that develops its own tools and leverages existing tools to compromise its targets. The group’s custom toolset includes two loaders, CLRLoad and PNGLoad, and a backdoor, PowHeartBeat.
CLRLoad is a first-stage loader that was used in 2021, but in 2022 was replaced, in most cases, by PowHeartBeat. PNGLoad is a second-stage loader that uses steganography to reconstruct malicious payloads hidden in PNG images.
PowHeartBeat is a full-featured backdoor written in PowerShell, obfuscated using various techniques such as compression, encoding, and encryption. This backdoor has various capabilities, including command/process execution and file manipulation. For example, it is capable of uploading files to and downloading files from compromised machines; returning file information such as the path, length, creation time, access times, and content to the command and control server; and deleting, renaming, and moving files.
“While our visibility at this stage is limited, we hope that putting the spotlight on this group will encourage other researchers to share information about this group,” adds Passilly.
For more technical information about Worok, check out the blogpost “Worok: the big picture” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
Visual heatmap of the targeted regions and verticals
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.