New hacker group Worok targets companies, governments mostly in Asia: ESET Researchers

Last month, ESET researchers discovered a cyber espionage group known as Worok that used undisclosed tools to infiltrate a variety of high-profile companies and local governments in Asia, the Middle East, and Africa.
According to ESET’s researchers, Worok has been active since 2020 and is still active today. It mainly targets telecommunications, banking, shipping, energy, military, government, and public sector companies. Several victims were compromised the Worok hackers in late 2020.
“We believe the malware operators are after information from their victims because they focus on high-profile entities in Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities,” said ESET researcher Thibaut Passilly who discovered Worok.

There was a significant break in observed operations from May 2021 to January 2022, but Worok’s activity returned in February 2022, targeting an energy company in Central Asia and a public sector entity in Southeast Asia, as per researchers.
The hacker group develops its tools and leverages exing ones to compromise its targets. The group’s custom toolset includes CLRLoad, PNGLoad, a steganography loader, as well as PowHeartBeat. These toolkits are used to reconstruct malicious payloads hidden in PNG images using a method called steganography. What this means is a PNG image is sent to a victim, which when opened compromises their system. It can perform a variety of tasks including uploading, downloading files, and even returning file metadata such as location, size, creation time, access time, and content, and delete, rename, and move files.
“While our visibility at this stage is limited, we hope that putting the spotlight on this group will encourage other researchers to share information about this group,” added Passilly.