ESET researchers uncovered a previously unknown cyberespionage group they named Worok. The Worok group has attacked various "high-profile" public and private sector organizations in industries such as telecommunications, finance, shipping, energy, and defense. The targets are mainly in Asia, the Middle East and Africa.
To attack their targets, the Worok team develops its own cyberespionage tools, while also leveraging existing ones. Thus, the team has used ProxyShell vulnerabilities to gain initial access in some cases, while the PowHeartBeat backdoor they use has various capabilities, including executing commands/processes and uploading and downloading files.
According to ESET telemetry, the Worok group has been active since at least 2020 and continues to be active today.
"We have strong suspicions that malware operators are seeking to extract information from their victims because they are targeting high-profile companies in Asia and Africa, focusing on public and private organizations, with a particular emphasis on government agencies," says the researcher ESET Thibaut Passilly who spotted the Worok team.
In late 2020, Worok targeted governments and companies in several countries. From May 2021 to January 2022, it took a hiatus from its activities, but in February 2022 it came back to attack:
• To an energy company in Central Asia and
• In a public sector enterprise in Southeast Asia
"Although the information we have at this stage is limited, we hope that the publicity given to this group will encourage other researchers to share information," adds Passilly.
For more technical information about the Worok team, see the blogpost “Worok: The big picture”At WeLiveSecurity.
Illustration of Worok's target areas and sectors
