The targets of Worok cyber espionage are high-ranking institutions in the telecommunications, banking, energy, military, government and shipping sectors. The group is currently still targeting Asia, Africa and the Middle East.
The Worok hacker group uses targeted attacks to spy on high-ranking institutions in Asia, Africa and the Middle East. Researchers from the European security manufacturer ESET have succeeded in uncovering the activities of the actors and analyzing their previously unknown tools. The group has been active since 2020, but has been on the road again since February 2022 after a longer break.
Worok uses in-house developments
The arsenal of the hackers consists of new, self-developed and already known tools. In some cases, the group has used the notorious ProxyShell vulnerabilities in Microsoft Exchange to gain initial access. The PowerShell backdoor PowHeartbeat, which is equipped with various functions, was used here. This enables the execution of commands and processes as well as the uploading and downloading of files.
"Worok is after sensitive information from their targets. The cyber espionage group focuses on high-level institutions mainly in Asia and Africa. The hackers attack companies and organizations from different sectors, but the focus is clearly on government institutions," says ESET researcher Thibaut Passilly, who discovered Worok. "With our analysis, we want to lay the foundation for other researchers to further explore the activities of the group and give us a deeper insight."
The goals of the spy group
By the end of 2020, Worok was already targeting governments and companies in several countries:
- A telecommunications company in East Asia
- A bank in Central Asia
- A company in the maritime industry in Southeast Asia
- A government agency in the Middle East
- A private company in Southern Africa
From May 2021 to January 2022 there was a longer interruption in the observed activities. In February 2022, the group returned and attacked:
- An energy company in Central Asia
- A public sector company in Southeast Asia
Who is Vorok?
Cyber espionage group Worok uses proprietary and existing tools to compromise their targets. These include two loaders, CLRLoad and PNGLoad, as well as the backdoor PowHeartBeat. CLRLoad is a loader that uses 2021 but has been replaced by PowHeartBeat in most cases in 2022. PNGLoad uses steganography to reconstruct malicious payloads hidden in PNG images.
Written in PowerShell, the backdoor PowHeartBeat has a wide range of functions, including command/process execution and file manipulation. It disguises its mischief using various techniques such as compression, coding and encryption. For example, PowHeartBeat is able to upload and download files to compromised computers, return file information such as path, length, creation time, access times, and content to the command and control server, and delete, rename, and move files.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.