The Worok threat group targets high-profile companies and government offices in Asia. The identified malicious threat actors are part of an espionage group that started two years ago.
Worok shares similarities in tools and interests with another threat group called TA428. It is reported that both groups have targeted important sectors around Asia, such as financial departments, energy corporations, maritime industries, and telecommunication agencies.
Researchers have also recorded campaigns targeting the Middle East and some African private entities.
The malicious attacks conducted by the group have taken a break from May last year to January this year. Their operation resumed in February until now, and cybersecurity researchers reported that the group’s goal is to collect information from essential parts of Asian countries.
The initial sequence of this group’s attack was seen through 2021 and 2022, leveraging ProxyShell exploits in selected incidents. Subsequently, the intrusion is followed by the deployment of custom backdoors for enhanced access.
However, the other attack methods of the group are yet to be discovered by researchers.
Worok threat group used different loaders for their campaigns.
Cybersecurity experts stated that the Worok threat group’s campaign uses several loaders. The first-stage loader dubbed CLRLoad is successful by another [.]NET-based steganographic loader called PNGLoad. The latter loader could execute an unknown PowerShell script attached in a PNG image file.
Worok’s infection chain favoured dropping CLRLoad to deploy a full-featured PowerShell implant called PowHeartBeat. This PowerShell is commonly used after the launch of PNGLoad. Additionally, it can communicate with a remote server through an ICMP or HTTP to run arbitrary commands, send/receive files, and execute related file operations.
However, the researchers could not get the final-stage payload; but they claimed that the malware could be disguised in a valid, convincing PNG image. Hence, the malware could usually hide without attracting the attention of security solutions.
Worok is a cyberespionage threat group that creates and develops its tools and leverages existing kits to compromise its targeted country. Therefore, organisations should keep tabs on the activity of this group to minimise the chances of getting attacked.
