Worok

Description

(ESET) ESET researchers recently found targeted attacks that used undocumented tools against various high-profile companies and local governments mostly in Asia. These attacks were conducted by a previously unknown espionage group that we have named Worok and that has been active since at least 2020. Worok’s toolset includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that uses steganography to extract hidden malicious payloads from PNG files.

Activity times and toolset indicate possible ties with TA428, but we make this assessment with low confidence.

Names

Name	Name-Giver
Worok	ESET

Country

China

Motivation

Information theft and espionage

First Seen

2020

Observed Sectors

Energy
Financial
Government
Telecommunications

Observed Countries

Botswana
Cambodia
China
Indonesia
Iran
Iraq
Japan
Kazakhstan
Kyrgyzstan
Laos
Lebanon
Malaysia
Mongolia
Myanmar
Namibia
North Korea
Oman
Philippines
Saudi Arabia
Singapore
South Africa
South Korea
Syria
Tajikistan
Thailand
Turkey
Turkmenistan
UAE
Uzbekistan
Vietnam
Yemen

Tools

CLRLoad
EarthWorm
Mimikatz
nbtscan
PNGLoad
PowHeartBeat
reGeorg

Information

https://www.welivesecurity.com/2022/09/06/worok-big-picture/

Other Information

Uuid

588255b4-4acf-45b0-a644-83bce3590e58

Last Card Change

2022-09-13

Threat Intelligence Garden

Explorer

Worok

Worok

Description

Names

Country

Motivation

First Seen

Observed Sectors

Observed Countries

Tools

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks