Worok: the hacker gang that shakes governments, armies and banks

Russian hackers target smartphones of Ukrainian leaders

You will also be interested


[EN VIDÉO] Cyber ​​espionage: what are the threats?
Interference in elections, theft of industrial data, hacking of military systems… Cyber ​​espionage has taken off in the last two decades.

Researchers from cybersecurity firm Eset recently discovered a new group of hackers using hitherto unknown tools. Baptized Worok, the group attacks governments and certain large companies in Asia, but also in the Middle East and in countries in southern Africa.

The first activities of the group were detected at the beginning of the year 2021 during the discovery failures ProxyShell. Their profile was then very close to another group, TA428, leaving the researchers in doubt as to whether they were the same individuals. However, they were able to differentiate their activities thanks to the tools used and identify the first Worok attacks which took place at the end of 2020. “ We consider that the ties are not strong enough to consider Worok to be the same group as TA428, but the two groups could share tools and have common interests “, indicated the researchers in their report.

A group active again since the beginning of the year

The group had an initial period of activity until May 2021, before pausing and reappearing in February this year targeting a company in theenergy in Central Asia, and a public sector entity in South East Asia. Eset failed to determine the means used to infiltrate victims’ networks in most cases. However, some authorities have exploited failures ProxyShell. The hackers then implanted a web-shell or shelled code, in other words access to a web server to be able to connect at will to the victim’s network.

Hackers use freely available web-based tools to explore the compromised network, such as Mimikatz, EarthWorm, ReGeorg, and NBTscan. Then they install a first program to take control of the machines. In 2021, it was CLRLoad, which was replaced in 2022 by PowHeartBeat, a software back door written with the PowerShell scripting language. In particular, it has the ability to connect to a server in order to receive commands and download other programs.

An activity that suggests information theft

In both cases, the program only serves to load a second tool, PNGLoad. This is based on the steganographya hidden message in another message, to load the malware final. In this case, it loads a PNG image, which contains hidden code. Eset researchers were unable to recover the images used to analyze them, but they should be perfectly valid and therefore appear completely harmless to the victim.

The inability to parse PNG files also means that they don’t know what final program was loaded and therefore what the exact purpose of the activity was. However, the main objective of the group seems above all espionage. ” Given the profile of the targets and the tools we have seen deployed against these victims, we believe that Worok’s main objective is to steal information. said the researchers.

Interested in what you just read?

fs1