Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Worok Hackers Target High-Profile Asian Companies and Governments

High-profile companies and local governments located primarily in Asia are the subjects of targeted attacks by a previously undocumented espionage group dubbed Worok that has been active since late 2020.

“Worok’s toolset includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that uses steganography to extract hidden malicious payloads from PNG files,” ESET researcher Thibaut Passilly said in a new report published today.

Worok is said to share overlaps in tools and interests with another adversarial collective tracked as TA428, with the group linked to attacks against entities spanning energy, financial, maritime, and telecom sectors in Asia as well as a government agency in the Middle East and a private firm in southern Africa.

Malicious activities undertaken by the group experienced a noticeable break from May 2021 to January 2022, before resuming the next month. The Slovak cybersecurity firm assessed the group’s goals to be aligned with information theft.

Initial foothold to target networks through 2021 and 2022 entailed the use of ProxyShell exploits in select instances, followed by deploying additional custom backdoors for entrenched access. Other initial compromise routes are unknown as yet.

Among the tools in Worok’s malware arsenal is a first-stage loader called CLRLoad, which is succeeded by a .NET-based steganographic loader codenamed PNGLoad that’s capable of executing an unknown PowerShell script embedded in a PNG image file.

Infection chains in 2022 have since dropped CLRLoad in favor of a full-featured PowerShell implant referred to as PowHeartBeat that’s subsequently used to launch PNGLoad, in addition to communicating with a remote server via HTTP or ICMP to execute arbitrary commands, send and receive files, and carry out related file operations.

ESET said it was unable to retrieve any of the final-stage PNG payloads, although it’s suspected that the malware could be concealed in valid, innocuous-looking PNG images and therefore “hide in plain sight” without attracting attention.

“Worok is a cyber espionage group that develops its own tools, as well as leveraging existing tools, to compromise its targets,” Passilly said.

“Stealing information from their victims is what we believe the operators are after because they focus on high-profile entities in Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities.”

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

CyberSecure Announces Strategic Alliance

CyberSecure Announces Strategic Alliance

BETHESDA, Md., March 24, 2023 /PRNewswire/ — Cybersecure IPS and LockDown Inc. jointly announce that they have entered a strategic alliance to…
Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own…
GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub, a Microsoft subsidiary has replaced its SSH keys after someone inadvertently published its private RSA SSH host key part of…