Headline
Worok Hackers Targeting Orgs, Govts in Asia, Middle East and Africa
By Deeba Ahmed Worok is primarily targeting organizations in banking, telecommunication, marine, military, energy, public sectors, and government in its current campaign. This is a post from HackRead.com Read the original post: Worok Hackers Targeting Orgs, Govts in Asia, Middle East and Africa
ESET telemetry has discovered a new malware campaign targeting local governments and high-profile organizations in Asia, the Middle East, and Africa.
In the recently discovered targeted attacks, undocumented tools are being used by a lesser-known cyberespionage group identified as Worok discovered by ESET researcher Thibaut Passilly.
This group has been active since 2020, when it targeted governments and organizations in multiple countries, including a telecom firm in East Asia, a bank in Central Asia, and a Southeast Asian maritime sector firm.
Worok is primarily targeting organizations in banking, telecommunication, marine, military, energy, public sectors, and government in its current campaign. The group claims to be a cyberespionage collective that develops its own tools and uses existing tools to compromise the target. Its custom toolset in 2021 included:
- CLRoad (a first-stage loader).
- PNGLoad (a second-stage loader).
- A full-featured PowHeartBeat backdoor written in PowerShell.
The backdoor can command and process execution and perform file manipulation.
Campaign Details
According to ESET’s research, attackers sometimes exploited the infamous ProxyShell vulnerability (CVE-2021-34523) discovered in 2021 to gain initial access. Malware operators are looking to obtain sensitive information from their targets as their focus has been on “high-profile entities in Asia and Africa,” and they have targeted both public and private sector firms. Besides, they are also focusing on government entities.
After gaining initial access, the operators deploy numerous publicly available tools for further infiltration, including EarthWorm, Mimikatz, NBTscan, and ReGeorg. Then they deploy their custom implants, including a first-stage loader followed by a second-stage .NET loader. The researchers could not identify the final payloads, ESET’s Thibaut Passilly wrote in a blog post.
After observing the Worok group’s activity in 2020, ESET noticed a break between May 2021 and January 2022, and then it resurfaced in February 2020, during which it targeted an energy firm in Central Asia and a public sector organization in Southeast Asia,
“While our visibility at this stage is limited, we hope that putting the spotlight on this group will encourage other researchers to share information about this group.”
ESET
- Nation-State Hackers Targeted Facebook – Meta
- Iranian hackers deface US government & African bank website
- Windows, Linux and macOS Hit by Chinese Iron Tiger APT Group
- US Warns Firms About North Korean Hackers Posing as IT Workers
- Indian APT exposes its Modus Operandi by infecting their own devices
Related news
Unnamed government entities in the Middle East and Malaysia are the target of a persistent cyber campaign orchestrated by a threat actor known as Tropic Trooper since June 2023. "Sighting this group's [Tactics, Techniques, and Procedures] in critical governmental entities in the Middle East, particularly those related to human rights studies, marks a new strategic move for them," Kaspersky
A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five
Nicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers. Based on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to
By Waqas Going by the name of Witchetty; the hacker group is targeting countries in Africa and the Middle East. This is a post from HackRead.com Read the original post: Chinese Hackers Hiding Malware in Windows Logo
APT group Witchetty (aka LookingFrog) has exploited the ProxyShell and ProxyLogon vulnerabilities to gain initial access and deploy new custom cyber tools against government agencies and a stock exchange.
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020. The agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked
A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.
A relative newcomer to the ransomware scene, the BlackCat group quickly gained notoriety and may be associated with other APT groups like Conti and DarkSide.
The operators of the emerging cross-platform ransomware BianLian increased their command and control infrastructure this month, indicating an acceleration in their operational pace.
Hello everyone! This is the second episode of Vulnerability Management news and publications. In fact, this is a collection of my posts from the avleonovcom and avleonovrus telegram channels. Therefore, if you want to read them earlier, subscribe to these channels. Alternative video link (for Russia): https://vk.com/video-149273431_456239097 What’s in this episode: Microsoft released a propaganda […]
While attackers continue to rely on older, unpatched vulnerabilities, many are jumping on new vulnerabilities as soon as they are disclosed.
The Microsoft 365 Defender Research Team has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers. The post IIS extensions are on the rise as backdoors to servers appeared first on Malwarebytes Labs.
By Deeba Ahmed Cobalt Mirage is an Irani threat group believed to be linked to the Iranian Cobalt Illusion threat group,… This is a post from HackRead.com Read the original post: Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US
Update August 25, 2021: Microsoft strongly recommends that you update your servers with the most recent security updates available. CVE-2021-34473 (ProxyShell) CVE-2021-34523 (ProxyShell) CVE-2021-33766 Today is Update Tuesday – our commitment to provide a predictable monthly schedule to release updates and provide the latest protection to our customers. Update Tuesday is a monthly cycle when Microsoft releases patches for vulnerabilities that we have found proactively or that have been disclosed to us through our security partnerships under a coordinated vulnerability disclosure.