A newly identified cyber-espionage gang Worok has been targeting governments and famous organizations in Asia with a mix of malicious tools that are both custom-made and already available.
Worok, the threat group discovered by ESET security experts, has also attacked sites in Africa and the Middle East. Experts claims this gang might be connected to TA428, a comparable group that has been active since 2019 and is believed to be backed by China.
In 2020, the cybersecurity software vendor’s threat intelligence analysts saw activity from a number of APT organisations. Worok has so far been connected to cyberattacks on military, governmental, and public sector organisations, as well as financial, energy, marine, and telecommunications companies.
Worok targeted a bank in Central Asia, a maritime corporation in Southeast Asia, a Middle Eastern government agency, a private company in southern Africa, and an East Asian telecoms company.
No sightings have occurred prior to February 2022. ESET once more connected the group to further attacks on a public sector organisation in Southeast Asia and a Central Asian energy business.
Late in August, research conducted by PwC Threat Intelligence revealed a Chinese initiative to compile data on international heavy industry producers and other targets related to operations in the South China sea.
Attack map of Worok (Eset)
Chinese hackers have recently attacked Russian defence organisations too, particularly as a result of the Russian invasion of Ukraine.
Thibaut Passilly, a malware researcher with ESET, said:
“We believe the malware operators are after information from their victims because they focus on high-profile entities in Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities.”
Worok Attack Technique
The original access vector for the majority of the group’s breaches is still unclear. However, it was undoubtedly ProxyShell vulnerabilities that the organisation used to obtain access to the networks of its victims.
According to ESET:
“In such situations, the vulnerabilities have often been exploited and then webshells uploaded to the victim’s network to offer persistence. Then the operators used various implants to gain further capabilities.”
Two loaders from Worok’s malicious toolkit, the CLRLoad loader for C++ and the PNGLoad loader for C#, are used by the attackers to steganographically hide malware packages in PNG image files.
Although there were certain incidents in 2021 and 2022 where the ProxyShell vulnerabilities were exploited. It is generally unknown how the espionage organisation initially gained entry into victims’ networks. To guarantee persistence in the affected networks, webshells were uploaded in such instances once the vulnerabilities were exploited.
ESET discovered a new PowerShell backdoor called PowHeartBeat, which has replaced CLRLoad in instances recorded from February 2022 as the tool meant to launch PNGLoad on infected computers. However, it has not yet been able to recover one of the final payloads sent in the company’s attacks.
Attack Chains from Worok
File manipulation, command or process execution, as well as uploading or downloading data to and from victims’ devices, are just a few of the many features PowHeartBeat provides.
Thibaut Passilly further said:
“Activity times and toolset indicate possible ties with TA428, but we make this assessment with low confidence. Even though this group is not widely known, we hope that by bringing it to light, other scholars will be inspired to do the same.”
Additionally, PowHeartBeat may relocate, modify, or remove files, as well as encrypt logs and other configuration file content. It uses ICMP to connect with the command-and-control (C2) server starting in version 2.4 of PowHeartBeat after first using HTTP. Passilly claims that neither transmission is encrypted.
