Home » TRENDING NEWS » ESET Research Uncovers Worok Targeting Companies, Governments Mostly in Asia

ESET Research Uncovers Worok Targeting Companies, Governments Mostly in Asia

ESET researchers have identified targeted attacks on several high-profile companies and local governments, primarily in Asia, but also in the Middle East and Africa. Worok, a previously unknown cyberespionage group, carried out these attacks. Worok has been active since at least 2020 and continues to be active now, according to ESET telemetry. Targeted industries included telecommunications, banking, maritime, energy, military, government, and public. In several circumstances, Worok utilized the infamous ProxyShell vulnerabilities to obtain early access.

“We believe the malware operators are after information from their victims because they focus on high-profile entities in Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities,” says ESET researcher Thibaut Passilly who discovered Worok.

Back in late 2020, Worok was targeting governments and companies in multiple countries, specifically:
● A telecommunications company in East Asia
● A bank in Central Asia
● A maritime industry company in Southeast Asia
● A government entity in the Middle East
● A private company in southern Africa

There was a significant break in observed operations from May 2021 to January 2022, but Worok activity returned in February 2022, targeting:
● An energy company in Central Asia
● A public sector entity in Southeast Asia

Worok is a cyberespionage organization that creates its own tools as well as using existing ones to compromise its targets. Two loaders, CLRLoad and PNGLoad, as well as a backdoor, PowHeartBeat, are part of the group’s own toolkit.

CLRLoad is a first-stage loader that was used in 2021, but was mostly replaced by PowHeartBeat in 2022. PNGLoad is a second-stage loader that uses steganography to recover malicious payloads concealed in PNG images.

PowHeartBeat is a full-featured backdoor developed in PowerShell and obfuscated with multiple techniques like as compression, encoding, and encryption. This backdoor provides a variety of features, including command/process execution and file manipulation. It can, for example, upload and download files from compromised workstations; return file information such as the path, length, creation time, access times, and content to the command and control server; and delete, rename, and move files.

“While our visibility at this stage is limited, we hope that putting the spotlight on this group will encourage other researchers to share information about this group,” adds Passilly.

Check Also

Low-code platform provider Pegasystems has integrated its Pega Process AI technology into Pega Smart Dispute, a move set to aid retail banks in optimizing their chargeback processes.

Pegasystems Unveils AI-Infused Solution to Expedite Retail Bank Chargebacks

Low-code platform provider Pegasystems has integrated its Pega Process AI technology into Pega Smart Dispute, …

Do NOT follow this link or you will be banned from the site!