Researchers reported finding targeted attacks using undocumented tools and new obfuscation techniques against high-profile telecoms, banks and local governments mostly in Asia.
In a Tuesday blog post, ESET researchers said these attacks were conducted by a previously unknown espionage group they have named Worok that has been active since at least 2020.
The researchers said Worok’s toolset includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that uses steganography to extract hidden malicious payloads from PNG files.
Thibaut Passilly, a malware researcher at ESET, explained that Worok has targeted multiple companies and public entities in various sectors all over the world. Passilly said his team believes that Worok’s main objective is to steal information: so any entity — public or private — could be a target.
“Their modus operandi is quite unique, considering the fact that they use obfuscation techniques along with tools that were previously undocumented,” Passilly said. “This means that they most likely can improve that toolset for further cyberattacks.”
It’s always interesting, if somewhat distressing, to see new APT groups deploying new tools, said Mike Parkin, senior technical engineer at Vulcan Cyber.
“While the Worok APT group is not entirely new, having been active for at least two years, and currently focused on targets in Asia, there’s no reason to assume that they won’t shift focus elsewhere,” Parkin said. “It’s also entirely possible another group will spawn from this one, which will have an entirely different agenda.”
Chuck Everette, director of cybersecurity advocacy at Deep Instinct, said the difference seen in this new APT attack and toolset compared to those before is that it’s continuously evolving and employs some customized techniques not widely seen before. Everette said while these attacks and tool techniques are not inimitable, they are showing that attackers are constantly innovating.
“Their technique for obfuscation and multiple new loaders is different enough where common cyber security solutions could miss these new threats without having to retrain and do manual feature extractions to catch the new techniques,” Everette said. “This means as these new threats come out, current solutions are not capable of preventing these new unknown threats without having to be retrained to recognize key patterns — which takes time, and is something that victims do not have the luxury of today. These types of threats should be a major concern for everyone since although the Worok cyber criminal group targets victims in Asia and Africa this week, it does not mean they couldn't switch targets elsewhere — or have not already done so.”
John Bambenek, principal threat hunter at Netenrich, added that the bar has been significantly lowered for advanced attackers. Bambenek said most do not need to develop many of their own tools as they can reuse other malicious tools or live-off-the-land.
“This also highlights the continuing utility of PowerShell for threat actors and the main takeaway should be the need for every organization to heavily restrict who and how PowerShell can be used, enable PowerShell auditing, and require any PowerShell script to get signed by a trusted key,” Bambenek said.