![]() It is a the second-stage payload deployed on compromised systems and loaded either by CLRLoad or PowHeartBeat. PNGLoad is yet another tool in Worok’s malware arsenal. The backdoor features various capabilities, including command/process execution and file manipulation, as well as the ability to download and execute additional payloads from a command and control server. PowHeartBeat is a full-fledged backdoor written in PowerShell, obfuscated using various techniques such as compression, encoding, and encryption. “In 2021, the first-stage loader was a CLR assembly (CLRLoad), while in 2022 it has been replaced, in most cases, by a full-featured PowerShell backdoor (PowHeartBeat),” ESET said. Once in the victim's network, the threat actors used publicly available tools for reconnaissance, including Mimikatz, EarthWorm, ReGeorg, NBTscan, and then deployed their custom implants: a first-stage loader, followed by a second stage. ![]() Worok is using an assortment of tools, including a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that uses steganography to extract hidden malicious payloads from PNG files.ĮSET notes in its report that while the majority of points of entry used by the hackers remain unknown, in some instances they observed threat actors exploiting the Microsoft Exchange ProxyShell critical vulnerabilities ( CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and uploading web shells to gain persistence on the victim’s system. Cybersecurity researchers at ESET have published a deep dive into activities of a relatively new cyber-espionage group they dubbed “Worok.” Active since late 2020, the group is mainly focused on government organizations and high-profile firms in Asia, but also targets banks and telecommunication companies in the private sector.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |