.
Investigators from ESET, a European cybersecurity company, have uncovered a series of cyberattacks using never-before-documented tools against a number of high-profile companies and local governments, mostly in Asia, but also in the Middle East and Africa. These attacks were launched by a previously unknown cyber-espionage group that ESET called Worok.
According to ESET telemetry, the group has been active since at least 2020 and remains active today. Among the targets are telecommunications, banking, naval, energy, military, government and public sector companies. In some cases, cybercriminals have used ProxyShell vulnerabilities (a series of vulnerabilities in Exchange servers that have already been patched by Microsoft but continue to be exploited today) to gain initial access to systems.
“We believe malware operators seek to steal data from their victims as they focus on high-profile entities in Asia and Africa, targeting diverse sectors, both private and public, but with a specific emphasis on government entities,” he said. Thibaut Passilly, one of the ESET researchers who discovered Worok.
In late 2020, the Worok group was attacking governments and companies in multiple countries, including:
- A telecommunications company in East Asia
- A bank in Central Asia
- A company in the shipping industry in Southeast Asia
- A government entity in the Middle East
- A large private company in southern Africa
There was a significant drop in the group’s operations between May 2021 and January 2022, but activity resumed in February 2022, affecting:
- An energy company in Central Asia
- A public sector entity in Southeast Asia
Worok is a cyber-espionage group that develops its own tools and takes advantage of existing tools to compromise its targets. The group’s toolset includes two loadersCLRLoad and PNGLoad, and a backdoor, PowHeartBeat. CLRLoad was used in 2021, but in 2022 it was replaced, in most cases, by PowHeartBeat.
In both years, PNGLoad was used to reconstruct malicious payloads hidden in PNG images. Note that the loaders are legitimate software components that load programs and libraries, but in this case have been used to load malware.
“We hope that by revealing this group’s operations other investigators will be encouraged to share information about it,” added Passilly.
Follow all the technological updates on TecheNet through telegram or Whatsapp. All the news in real time and without delays!
Other interesting articles:
.
