Mysterious 'Worok' Group Launches Spy Effort With Obfuscated Code, Private Tools
The threat actor — whose techniques and procedures do not match known groups — has created custom attack tools, including a program that hides scripts in .PNG images.
September 6, 2022
A relatively new cyber-espionage group is using an intriguing custom arsenal of tools and techniques to compromise companies and governments in Southeast Asia, the Middle East, and southern Africa, with attacks aimed at collecting intelligence from targeted organizations.
According to an analysis published on Tuesday by cybersecurity firm ESET, the hallmark of the group, which is dubbed Worok, is its use of custom tools not seen in other attacks, a focus on targets in Southeast Asia, and operational similarities to the China-linked TA428 group.
In 2020, the group attacked telecommunications companies, government agencies, and maritime firms in the region before taking a months-long break. It restarted operations at the beginning of 2022.
ESET issued the advisory on the group because the company's researchers have not seen many of the tools used by any other group, says Thibaut Passilly, a malware researcher with ESET and author of the analysis.
"Worok is a group that uses exclusive and new tools to steal data — their targets are worldwide and include private companies, public entities, as well as governmental institutions," he says. "Their usage of various obfuscation techniques, especially steganography, makes them really unique."
Worok's Custom Toolset
Worok bucks the more recent trend of attackers using cybercriminal services and commodity attack tools as these offerings have blossomed on the Dark Web. The proxy-as-a-service offering EvilProxy, for example, allows phishing attacks to bypass two-factor authentication methods by capturing and modifying content on the fly. Other groups have specialized in specific services such as initial access brokers, which allow state-sponsored groups and cybercriminals to deliver payloads to already-compromised systems.
Worok's toolset instead consists of an in-house kit. It includes the CLRLoad C++ loader; the PowHeartBeat PowerShell backdoor; and a second-stage C# loader, PNGLoad, that hides code in image files using steganography (although researchers have not yet captured an encoded image).
For command and control, PowHeartBeat currently uses ICMP packets to issue commands to compromised systems, including running commands, saving files, and uploading data.
While the targeting of the malware and the use of some common exploits — such as the ProxyShell exploit, which has been actively used for more than a year — are similar to existing groups, other aspects of the attack are unique, Passilly says.
"We have not seen any code similarity with already known malware for now," he says. "This means they have exclusivity over malicious software, either because they make it themselves or they buy it from a closed source; hence, they have the ability to change and improve their tools. Considering their appetite for stealthiness and their targeting, their activity must be tracked."
Few Links to Other Groups
While the Worok group has aspects that resemble TA428, a Chinese group that has run cyber-operations against nations in the Asia-Pacific region, the evidence is not strong enough to attribute the attacks to the same group, ESET says. The two groups may share tools and have common goals, but they are distinct enough that their operators are likely different, Passilly says.
"[W]e have observed a few common points with TA428, especially the usage of ShadowPad, similarities in the targeting, and their activity times," he says. "These similarities are not that significant; therefore we link the two groups with low confidence."
For companies, the advisory is a warning that attackers continue to innovate, Passilly says. Companies should track the behavior of cyber-espionage groups to understand when their industry might be targeted by attackers.
"The first and most important rule to protect against cyberattacks is to keep software updated in order to reduce the attack surface, and use multiple layers of protections to prevent intrusions," Passilly says.
About the Author
You May Also Like