ESET Research uncovers new cyberespionage group Worok

  • ESET researchers have discovered a previously unknown cyberespionage group that they named Worok.
  • Worok has attacked various high-profile companies from the telecommunications, banking, maritime, energy, military, government, and public sectors. The targets are located mostly in Asia, but also in the Middle East and Africa.
  • Worok develops its own tools and leverages existing tools to compromise its targets. The group has used the infamous ProxyShell vulnerabilities to gain initial access in some cases. Its PowerShell backdoor PowHeartBeat has various capabilities, including command/process execution and uploading and downloading files. 

We believe the malware operators are after information from their victims because they focus on high-profile entities in Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities,” says ESET researcher Thibaut Passilly who discovered Worok.

Back in late 2020, Worok was targeting governments and companies in multiple countries, specifically:

  • A telecommunications company in East Asia
  • A bank in Central Asia
  • A maritime industry company in Southeast Asia
  • A government entity in the Middle East
  • A private company in southern Africa

There was a significant break in observed operations from May 2021 to January 2022, but Worok activity returned in February 2022, targeting:

  • An energy company in Central Asia
  • A public sector entity in Southeast Asia
  • While our visibility at this stage is limited, we hope that putting the spotlight on this group will encourage other researchers to share information about this group,” adds Passilly.