ESET researchers uncovered a previously unknown cyberespionage group they named Worok. The Worok group has attacked various "high-profile" public and private sector organizations in industries such as telecommunications, finance, shipping, energy, and defense. The targets are mainly in Asia, the Middle East and Africa.
To attack their targets, the Worok team develops its own cyberespionage tools, while also leveraging existing ones. So the team has used ProxyShell vulnerabilities to get initial access σε ορισμένες περιπτώσεις, ενώ το backdoor PowHeartBeat που uses it has various capabilities, including running commands/processes and uploading and downloading files.
According to ESET telemetry, the Worok group has been active since at least 2020 and continues to be active today.
"We have reasonable suspicions that its administrators maliciousy software companies seek to extract information from their victims and this is because they focus on high-profile companies in Asia and Africa, focusing on public and private organizations, with a particular emphasis on government bodies," says ESET researcher Thibaut Passilly who identified the Worok group .
In late 2020, Worok targeted governments and companies in several countries. From May 2021 to January 2022, she took a hiatus from her activities, but in February 2022 she returned making attack:
• To an energy company in Central Asia and
• In a public sector enterprise in Southeast Asia
"Although the information we have at this stage is limited, we hope that the publicity given to this group will encourage other researchers to share information," adds Passilly.
For more technical information about the Worok team, see the blogpost “Worok: The big picture”At WeLiveSecurity.
Illustration of Worok's target areas and sectors