Mysterious Worok Group Launches Spy Effort With Obfuscated Code, Private Tools

  /     /     /  
Publicated : 23/11/2024   Category : security


Mysterious Worok Group Launches Spy Effort With Obfuscated Code, Private Tools


The threat actor — whose techniques and procedures do not match known groups — has created custom attack tools, including a program that hides scripts in .PNG images.



A relatively new cyber-espionage group is using an intriguing custom arsenal of tools and techniques to compromise companies and governments in Southeast Asia, the Middle East, and southern Africa, with attacks aimed at collecting intelligence from targeted organizations.
According to an analysis published on Tuesday by cybersecurity firm ESET, the hallmark of the group, which is dubbed Worok, is its use of custom tools not seen in other attacks, a focus on targets in Southeast Asia, and operational similarities to the China-linked TA428 group.
In 2020, the group attacked telecommunications companies, government agencies, and maritime firms in the region before taking a months-long break. It restarted operations at the beginning of 2022.
ESET
issued the advisory
on the group because the companys researchers have not seen many of the tools used by any other group, says Thibaut Passilly, a malware researcher with ESET and author of the analysis.
Worok is a group that uses exclusive and new tools to steal data — their targets are worldwide and include private companies, public entities, as well as governmental institutions, he says. Their usage of various obfuscation techniques, especially steganography, makes them really unique.
Worok bucks the more recent trend of attackers using cybercriminal services and commodity attack tools as these offerings have blossomed on the Dark Web. The proxy-as-a-service offering EvilProxy, for example,
allows phishing attacks to bypass two-factor authentication methods
by capturing and modifying content on the fly. Other groups have specialized in specific services such as
initial access brokers
, which allow state-sponsored groups and cybercriminals to deliver payloads to already-compromised systems.
Woroks toolset instead consists of an in-house kit. It includes the CLRLoad C++ loader; the PowHeartBeat PowerShell backdoor; and a second-stage C# loader, PNGLoad, that hides code in image files using steganography (although researchers have not yet captured an encoded image).
For command and control, PowHeartBeat currently uses ICMP packets to issue commands to compromised systems, including running commands, saving files, and uploading data.
While the targeting of the malware and the use of some common exploits — such as
the ProxyShell exploit
, which has been actively used for more than a year — are similar to existing groups, other aspects of the attack are unique, Passilly says.
We have not seen any code similarity with already known malware for now, he says. This means they have exclusivity over malicious software, either because they make it themselves or they buy it from a closed source; hence, they have the ability to change and improve their tools. Considering their appetite for stealthiness and their targeting, their activity must be tracked.
While the Worok group has aspects that resemble
TA428, a Chinese group
that has run cyber-operations against nations in the Asia-Pacific region, the evidence is not strong enough to attribute the attacks to the same group, ESET says. The two groups may share tools and have common goals, but they are distinct enough that their operators are likely different, Passilly says.
[W]e have observed a few common points with TA428, especially the
usage of ShadowPad
, similarities in the targeting, and their activity times, he says. These similarities are not that significant; therefore we link the two groups with low confidence.
For companies, the advisory is a warning that attackers continue to innovate, Passilly says. Companies should track the behavior of cyber-espionage groups to understand when their industry might be targeted by attackers.
The first and most important rule to protect against cyberattacks is to keep software updated in order to reduce the attack surface, and use multiple layers of protections to prevent intrusions, Passilly says.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Mysterious Worok Group Launches Spy Effort With Obfuscated Code, Private Tools