A cyberespionage group has targeted government agencies and big-name corporations throughout Asia since at least 2020, using the notorious ProxyShell vulnerabilities in Microsoft Exchange to gain initial access.
According to ESET, the crew it has dubbed as Worok may be associated with TA428, a similar group thought to be backed by China, that has been around since 2019.
Threat intelligence researchers with the cybersecurity software vendor saw activity from a range of advanced persistent threat (APT) groups in early 2021, after the disclosure of the ProxyShell (CVE-2021-34523) vulnerability, and one of those groups showed some similarities to TA428, such as common activity times, targeted verticals, and the use of ShadowPad, a backdoor used in a number of espionage campaigns.
However, other tools used by the group differed from those employed by TA428, a Chinese state-sponsored gang known for targeting organizations in East Asia and Russia and which also is referred to as Colorful Panda.
“We consider that the links are not strong enough to consider Worok to be the same group as TA428, but the two groups might share tools and have common interests,” Thibaut Passilly, a malware researcher at ESET, wrote in a report Tuesday. “We decided to create a cluster and named it Worok.”
The researchers then linked other attacks to Worok through the use of variants of the same tools, concluding that the group has been around since late 2020 and is still active now.
Worok’s toolset includes CLRLoad, a C++ loader; PowHeartBeat, PowerShell backdoor; and PNGLoad, a C# .NET loader that uses steganography – concealing a message in another message – to extract hidden malicious payloads from PNG files.
“Considering the targets’ profiles and the tools we’ve seen deployed against these victims, we think Worok’s main objective is to steal information,” Passilly wrote.
In late 2020, the group targeted a telecommunications company in East Asia, a bank in Central Asia, and a Southeastern Asia company in the maritime industry. There also was a government entity in the Middle East and a private company in southern Africa.
There then was a pause in Worok’s activity from May 2021 to January before it returned with attacks on an energy company in Central Asia and a public sector entity in Southeast Asia.
It’s unknown in most cases how the espionage group gains initial access into victims’ networks, although there are some instances in 2021 and 2022 where the ProxyShell flaws were exploited. In those cases, webshells were uploaded after exploiting the vulnerabilities to ensure persistence in the compromised networks.
Once in, the Worok operators use a variety of publicly available tools, such as Mimikatz, EarthWorm, ReGerog, and NBTscan, for reconnaissance, according to Passilly. Then the group deploys its custom malware, including a first-stage loader. Initially that was CLRLoad, a generic Window PE that is written in C++ and loads the next stage, PNGLoad, which must be a Common Language Runtime (CLR) assembly DLL file.
“That [PNGLoad] code is loaded from a file located on disk in a legitimate directory, presumably to mislead victims or incident responders into thinking it is legitimate software” by using steganograpahy, he wrote.
In the later attacks in 2022, PowHeartBeat, a full-featured backdoor written in PowerShell and used to obfuscate by such techniques as compression, encoding, and encryption, replaced CRLLoad. It also is used to launch PNGLoad.
In addition, PowHeartBeat encrypts logs and other configuration file content and can delete, rename, or move a file. It also communicates with the command-and-control (C2) server, initially over HTTP and later – with version 2.4 of PowHeartBeat – via ICMP. In both, the communication is not encrypted, according to Passilly.
However, it’s unclear what the final payload is, they wrote.
“We have not been able to obtain a sample .png file used along with PNGLoad, but the way PNGLoad operates suggests that it should work with valid PNG files,” Passilly wrote. “To hide the malicious payload, Worok uses Bitmap objects in C#, which only take pixel information from files, not the file metadata. This means that Worok can hide its malicious payloads in valid, innocuous-looking PNG images and thus hide in plain sight.”
ESET believes Worok is a cyberespionage group based on its high-profile targets in Asia and Africa and its emphasis on government entities. And while there may be a tie with TA428, the assessment is done with low confidence, he wrote.
Most recently, TA428 early this year was behind a series of cyberespionage attacks in Eastern Europe and Afghanistan. Kaspersky researchers said in a report last month that the group targeted industrial plants, research institutions, and government agencies in such countries as Belarus, Russia, and Ukraine. ®