A cyber-espionage group has targeted government agencies and large corporations across Asia since at least 2020, using the infamous ProxyShell vulnerabilities in Microsoft Exchange to gain the first access.
According to ESET, the crew that named it as Worok may be associated with TA428, a similar group believed to be backed by China, which has been around since 2019.
Threat intelligence researchers at the cybersecurity software provider saw activity from a range of advanced persistent threat groups (APTs) in early 2021, following the unveiling of the ProxyShell (CVE-2021-34523) vulnerabilityand one of those groups showed some similarities to TA428, such as common activity times, targeted verticals, and the use of ShadowPad, a backdoor used in a number of spy campaigns.
However, other tools used by the group differed from those employed by TA428, a Chinese state-sponsored gang known for targeting organizations in East Asia and Russia and also referred to as Colorful Panda.
“We believe that the links are not strong enough to consider Worok as the same group as TA428, but the two groups may share tools and have common interests,” Thibaut Passilly, a malware researcher at ESET, wrote in a statement. report Tuesday. “We decided to make a cluster and called it Worok.”
The researchers then linked other attacks to Worok using variants of the same tools, concluding that the group has been around since late 2020 and is still active today.
Worok’s toolset includes CLRLoad, a C++ loader; PowHeartBeat, PowerShell backdoor; and PNGLoad, a C# .NET loader that uses steganography—hiding one message within another—to extract hidden malicious payloads from PNG files.
“Given the profiles of the targets and the tools we’ve seen deployed against these victims, we think Worok’s main purpose is to steal information,” Passilly wrote.
At the end of 2020, the group focused on a telecommunications company in East Asia, a bank in Central Asia and a Southeast Asian company in the maritime sector. There was also a government agency in the Middle East and a private company in southern Africa.
Thereafter, there was a lull in Worok’s activity from May 2021 to January before it returned with attacks on an energy company in Central Asia and a government agency in Southeast Asia.
It is unknown in most cases how the spy group gains initial access to victims’ networks, although there are some cases in 2021 and 2022 where the ProxyShell flaws were exploited. In those cases, web shells were uploaded after exploiting the vulnerabilities to ensure persistence in the compromised networks.
Once inside, the Worok operators use a variety of publicly available tools, such as Mimikatz, EarthWorm, ReGerog and NBTscan, for exploration, Passilly said. Then the group deploys its custom malware, including a first-stage loader. Initially, that was CLRLoad, a generic Window PE written in C++ and loading the next stage, PNGLoad, which is supposed to be a Common Language Runtime (CLR) assembly DLL file.
“That [PNGLoad] code is loaded from a file located on disk in a legitimate folder, presumably to mislead victims or incident responders into thinking it’s legitimate software,” he wrote.
In the later attacks in 2022, PowHeartBeat, a fully featured backdoor written in PowerShell and used to obfuscate by techniques like compression, encryption, and encryption, replaced CRLLoad. It is also used to launch PNGLoad.
In addition, PowHeartBeat encrypts logs and other contents of configuration files and can delete, rename or move a file. It also communicates with the command-and-control (C2) server, initially via HTTP and later – with version 2.4 of PowHeartBeat – via ICMP. In both, communication is not encrypted, Passilly said.
However, it is unclear what the final charge is, they wrote.
“We were unable to obtain a sample .png file to be used with PNGLoad, but the way PNGLoad works suggests it should work with valid PNG files,” Passilly wrote. To hide the malicious payload, Worok uses Bitmap objects in C#, which only extract pixel information from files, not the file metadata. This means that Worok can hide its malicious payloads in valid, harmless-looking PNG images and thus fully hide itself. can hide sight.”
ESET believes that Worok is a cyber-espionage group based on its high-profile targets in Asia and Africa and its emphasis on government agencies. And while there may be a connection to TA428, the assessment is done with little confidence, he wrote.
Most recently, TA428 was behind a series of cyber espionage attacks in Eastern Europe and Afghanistan early this year. Kaspersky researchers said in a report last month the group focused on industrial facilities, research institutions and government agencies in countries such as Belarus, Russia and Ukraine. ®