The researchers dubbed the cyberespionage group “Worok” and say it’s been active since at least 2020, when it targeted an East Asia telecom, a Central Asia bank, Southeast Asian maritime firm, among other public and private targets.
A “significant break in observed operations” took place between May 2021 and January 2022, the researchers said, but since then the group has homed in on a Central Asian energy company and a public sector entity in Southeast Asia.
The group’s activity is just the latest example of rampant cyberespionage activity targeting regional entities throughout Asia and Australia. In late August, joint research from Proofpoint and PwC Threat Intelligence exposed a Chinese effort to gather information on global heavy industry manufacturers and other targets associated with activity in the South China sea. Russian defense entities have also been targeted by Chinese hackers in recent months, particularly in the wake of the Russian invasion of Ukraine.
According to ESET, the group employs at least three customized tools: C++ loader, a PowerShell backdoor and a loader that uses steganography to create payloads to execute.
The researchers did not attribute the activity to a particular nation. They said the group may share tools and have common interests with TA428, which multiple independent security research teams have connected to China.
“Worok is a cyberespionage group that develops its own tools, as well as leveraging existing tools, to compromise its targets,” the researchers said. “Stealing information from their victims is what we believe the operators are after because they focus on high-profile entities in Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities.”