[MART] - Daily Diary #589 - Worok Targets High-Profile Entities
ctas-mat at appgate.com
ctas-mat at appgate.com
Tue Sep 6 22:47:11 UTC 2022
Hello,
I hope everyone is doing well!
Below is the entry for today.
09/06/2022 - Diary entry #589:
Recently, a previously unknown cyber espionage group active since at least 2020 and tracked as "Worok" was observed attacking multiple high-profile targets using undocumented tools. Worok has been targeting telecommunications, banking, maritime, and energy companies, as well as the military, government, and public sector entities in Asia, Africa, and the Middle East.
Named Worok after a mutex found in a loader, this group was then linked to more activity with variants of the same tools used by the China-linked TA428 APT group (a.k.a. Colourful Panda, BRONZE DUDLEY – mentioned on Daily Diary #254). Worok's malicious toolkit includes two loaders, a C++ loader known as CLRLoad and a C# loader called PNGLoad that help attackers hide malware payloads in PNG image files using steganography.
Although the group used ProxyShell exploits to gain initial access to their victims' networks, the initial access vector remains unknown for most of their breaches. For this reason, it is important to take into account its level of danger, since Worok develops its own tools and takes advantage of existing tools.
Kind Regards,
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>
MART
Malware Analysis and Research Team
Appgate
E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220906/e8db6e60/attachment.htm>
More information about the MART
mailing list