Cybersecurity researchers at ESET have published a deep dive into activities of a relatively new cyber-espionage group they dubbed “Worok.” Active since late 2020, the group is mainly focused on government organizations and high-profile firms in Asia, but also targets banks and telecommunication companies in the private sector.
Worok is using an assortment of tools, including a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that uses steganography to extract hidden malicious payloads from PNG files.
ESET notes in its report that while the majority of points of entry used by the hackers remain unknown, in some instances they observed threat actors exploiting the Microsoft Exchange ProxyShell critical vulnerabilities ( CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and uploading web shells to gain persistence on the victim’s system.
Once in the victim's network, the threat actors used publicly available tools for reconnaissance, including Mimikatz, EarthWorm, ReGeorg, NBTscan, and then deployed their custom implants: a first-stage loader, followed by a second stage .NET loader (PNGLoad).
“In 2021, the first-stage loader was a CLR assembly (CLRLoad), while in 2022 it has been replaced, in most cases, by a full-featured PowerShell backdoor (PowHeartBeat),” ESET said.
PowHeartBeat is a full-fledged backdoor written in PowerShell, obfuscated using various techniques such as compression, encoding, and encryption. The backdoor features various capabilities, including command/process execution and file manipulation, as well as the ability to download and execute additional payloads from a command and control server.
PNGLoad is yet another tool in Worok’s malware arsenal. It is a the second-stage payload deployed on compromised systems and loaded either by CLRLoad or PowHeartBeat.
“PNGLoad is a loader that uses bytes from PNG files to create a payload to execute. It is a 64-bit .NET executable – obfuscated with .NET Reactor – that masquerades as legitimate software,” the report reads.
ESET says they were not able to obtain a sample .png file used along with PNGLoad, but the way PNGLoad operates suggests that it should work with valid PNG files. To conceal the malicious payload, the threat actor uses Bitmap objects in C#, which only take pixel information from files, not the file metadata. In this way Worok can hide its malicious payloads in valid, innocuous-looking PNG images.
“Worok is a cyberespionage group that develops its own tools, as well as leveraging existing tools, to compromise its targets. Stealing information from their victims is what we believe the operators are after because they focus on high-profile entities in Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities. Activity times and toolset indicate possible ties with TA428, but we make this assessment with low confidence,” the researchers concluded.