ESET details Worok cyberespionage group targeting Asian governments, corporations

ESET provided Tuesday details about the Worok cyberespionage group that develops its tools and leverages existing tools to compromise its targets. The firm believes the operators are after stealing information from their victims because they focus on high-profile entities in Asia and Africa, targeting private and public sectors, but with a specific emphasis on government entities. 

“Activity times and toolset indicate possible ties with TA428, but we make this assessment with low confidence,” Thibaut Passilly, an ESET researcher, wrote in a blog post. “Their custom toolset includes two loaders – one in C++ and one in C# .NET – and one PowerShell backdoor.”

Passilly said that Worok’s toolset includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that uses steganography to extract hidden malicious payloads from PNG files. According to ESET’s telemetry, Worok has been active since late 2020 and continues to be active as of this writing, he adds.

In late 2020, Worok targeted governments and companies in multiple countries, including an East Asian telecommunications company, a Central Asian bank, a Southeast Asian maritime industry company, a Middle Eastern government entity, and a private company in southern Africa, according to Passilly. However, there was a significant break in observed operations from May last year to January this year. “But Worok activity returned in 2022-02, targeting an energy company in Central Asia and a public sector entity in Southeast Asia,” he adds.

During the ProxyShell vulnerability disclosure in early 2021, ESET observed activity from various APT groups. One exhibited common characteristics such as activity times, targeted verticals, and usage of ShadowPad with TA428, which targeted Mongolian organizations that relied on compromised Able Desktop installers and compromises to the Able update system to deliver HyperBro, Korplug, and Tmanger malware.

Passilly said that the rest of the toolset is very different: for example, TA428 took part in the Able Desktop compromise in 2020. “We consider that the links are not strong enough to consider Worok to be the same group as TA428, but the two groups might share tools and have common interests. We decided to create a cluster and named it Worok. The name was chosen after a mutex in a loader used by the group. Further activity with variants of the same tools was then linked to this group,” he adds. 

“While the majority of initial accesses are unknown, in some cases through 2021 and 2022, we have seen exploits used against the ProxyShell vulnerabilities,” Passilly said. “In such cases, typically, webshells have been uploaded after exploiting these vulnerabilities, in order to provide persistence in the victim’s network. Then the operators used various implants to gain further capabilities.”

Passilly also said that once access had been acquired, the operators deployed multiple publicly available tools for reconnaissance, including Mimikatz, EarthWorm, ReGeorg, and NBTscan, and then deployed their custom implants – a first-stage loader, followed by a second stage .NET loader (PNGLoad). “Unfortunately, we have not been able to retrieve any of the final payloads. In 2021, the first-stage loader was a CLR assembly (CLRLoad), while in 2022, it has been replaced, in most cases, by a full-featured PowerShell backdoor (PowHeartBeat) – both execution chains,” he adds. 

ESET also details the PowHeartBeat, a full-featured backdoor written in PowerShell, which is obfuscated when using various techniques such as compression, encoding, and encryption. “Based on ESET telemetry, we believe PowHeartBeat replaced CLRLoad in more recent Worok campaigns as the tool used to launch PNGLoad.”

PowHeartBeat encrypted logs and additional configuration file content, according to Passilly. It also used HTTP for C&C communications until version 2.4 and then switched to ICMP. In both cases, the communication is not encrypted. 

“Starting from version 2.4 of PowHeartBeat, HTTP was replaced by ICMP, sent packets having a timeout of six seconds and being unfragmented,” Passilly said. “Communication through ICMP is most likely a way to evade detection. There is no major change in versions 2.4 and later, but we noticed some modifications in the code,” he added.

PowHeartBeat also has various capabilities, including command/process execution and file manipulation. 

The post also said that PNGLoad is the second-stage payload deployed by Worok on compromised systems and, according to ESET telemetry, loaded either by CLRLoad or PowHeartBeat. “While we don’t see any code in PowHeartBeat that directly loads PNGLoad, the backdoor has the capabilities to download and execute additional payloads from the C&C server, which is likely how the attackers have deployed PNGLoad on systems compromised with PowHeartBeat.” 

Passilly said that PNGLoad is a loader that uses bytes from PNG files to create a payload to execute. “It is a 64-bit .NET executable – obfuscated with .NET Reactor – that masquerades as legitimate software.”

ESET said it could not obtain a sample [dot]png file used along with PNGLoad, but the way PNGLoad operates suggests that it should work with valid PNG files. “To hide the malicious payload, Worok uses Bitmap objects in C#, which only take pixel information from files, not the file metadata. This means that Worok can hide its malicious payloads in valid, innocuous-looking PNG images and thus hide in plain sight,” the post adds.

“While our visibility is limited, we hope that shedding light on this group will encourage other researchers to share information about this group,” Passilly concludes.

In April, ESET researchers published a detailed profile of the TA410 APT group, including its modus operandi and toolset, including a new version of FlowCloud. The team also threw light on the very complex backdoor containing espionage capabilities. The TA410 cyberespionage umbrella group is loosely linked to APT10, known mostly for targeting U.S.-based organizations in the utility sector and diplomatic organizations in the Middle East and Africa.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.