Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

Worok: The big picture | WeLiveSecurity

September 6, 2022

Targeted totally on Asia, this new cyberespionage group makes use of undocumented instruments, together with steganographically extracting PowerShell payloads from PNG recordsdata

ESET researchers not too long ago discovered focused assaults that used undocumented instruments in opposition to numerous high-profile corporations and native governments largely in Asia. These assaults have been performed by a beforehand unknown espionage group that we have now named Worok and that has been energetic since at the very least 2020. Worok’s toolset features a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that makes use of steganography to extract hidden malicious payloads from PNG recordsdata.

Who’s Worok?

In the course of the ProxyShell (CVE-2021-34523) vulnerability disclosure in early 2021, we noticed exercise from numerous APT teams. One exhibited traits frequent with TA428:

  • Exercise occasions
  • Focused verticals
  • Utilization of ShadowPad

The remainder of the toolset may be very completely different: for instance, TA428 took half within the In a position Desktop compromise in 2020. We take into account that the hyperlinks will not be sturdy sufficient to contemplate Worok to be the identical group as TA428, however the two teams would possibly share instruments and have frequent pursuits. We determined to create a cluster and named it Worok. The identify was chosen after a mutex in a loader utilized by the group. Additional exercise with variants of the identical instruments was then linked to this group. Based on ESET’s telemetry, Worok has been energetic since late 2020 and continues to be energetic as of this writing.

Again in late 2020, Worok was focusing on governments and corporations in a number of international locations, particularly:

  • A telecommunications firm in East Asia
  • A financial institution in Central Asia
  • A maritime trade firm in Southeast Asia
  • A authorities entity in The Center East
  • A personal firm in southern Africa

There was a major break in noticed operations from 2021-05 to 2022-01, however Worok exercise returned in 2022-02, focusing on:

  • An power firm in Central Asia
  • A public sector entity in Southeast Asia

Determine 1 presents a visible heatmap of the focused areas and verticals.

Determine 1. Map of the focused areas and verticals

Contemplating the targets’ profiles and the instruments we’ve seen deployed in opposition to these victims, we predict Worok’s important goal is to steal info.

Technical evaluation

Whereas nearly all of preliminary accesses are unknown, in some instances by means of 2021 and 2022 we have now seen exploits used in opposition to the ProxyShell vulnerabilities. In such instances, usually webshells have been uploaded after exploiting these vulnerabilities, with a view to present persistence within the sufferer’s community. Then the operators used numerous implants to realize additional capabilities.

As soon as entry had been acquired, the operators deployed a number of, publicly obtainable instruments for reconnaissance, together with Mimikatz, EarthWorm, ReGeorg, and NBTscan, after which deployed their customized implants: a first-stage loader, adopted by a second stage .NET loader (PNGLoad). Sadly, we have now not capable of retrieve any of the ultimate payloads. In 2021, the first-stage loader was a CLR meeting (CLRLoad), whereas in 2022 it has been changed, generally, by a full-featured PowerShell backdoor (PowHeartBeat) – each execution chains are depicted in Determine 2. These three instruments are described intimately within the following subsections.

Determine 2. Worok compromise chains

CLRLoad: CLR meeting loader

CLRLoad is a generic Home windows PE that we have now seen in each 32-and 64-bit variations. It’s a loader written in C++ that hundreds the subsequent stage (PNGLoad), which have to be a Common Language Runtime (CLR) assembly DLL file. That code is loaded from a file positioned on disk in a official listing, presumably to mislead victims or incident responders into considering it’s official software program.

Some CLRLoad samples begin by decoding the total path of the file whose content material they may load as the subsequent stage. These file paths are encoded with a single-byte XOR, with a special key in each pattern. Decoded or cleartext, these file paths are absolute, with the next being these we have now encountered:

  • C:Program FilesVMwareVMware ToolsVMware VGAuthxsec_1_5.dll
  • C:Program FilesUltraViewermsvbvm80.dll
  • C:Program FilesInternet ExplorerJsprofile.dll
  • C:Program FilesWinRarRarExtMgt.dll
  • C:Program Information (x86)Foxit SoftwareFoxit Readerlucenelib.dll

Subsequent, a mutex is created and we’ve seen a special identify in each pattern. The loader checks for this mutex; if discovered, it exits, as a result of the loader is already working. In one of many samples, the mutex Wo0r0KGWhYGO was encountered, which gave the group its identify of Worok.

CLRLoad then hundreds a CLR meeting from the presumably decoded file path. As unmanaged code, CLRLoad achieves this by way of CorBindToRuntimeEx Home windows API calls in 32-bit variants, or CLRCreateInstance calls in 64-bit variants.

PowHeartBeat: PowerShell backdoor

PowHeartBeat is a full-featured backdoor written in PowerShell, obfuscated utilizing numerous strategies akin to  compression, encoding, and encryption. Primarily based on ESET telemetry, we imagine PowHeartBeat changed CLRLoad in newer Worok campaigns because the software used to launch PNGLoad.

The primary layer of the backdoor code consists of a number of chunks of base64-encoded PowerShell code. As soon as the payload is reconstructed, it’s executed by way of IEX. As soon as decoded, one other layer of obfuscated code is executed, which we are able to see in Determine 3.

Determine 3. Excerpt of the decoded important operate of the second layer of PowHeartBeat

The second layer of the backdoor first base64 decodes the subsequent layer of its code, which is then decrypted with Triple DES (CBC mode). After decryption, this code is decompressed utilizing the gzip algorithm, thus giving the third layer of PowerShell code, which is the precise backdoor. It’s divided into two important elements: configuration, and dealing with backdoor instructions.

The principle layer of backdoor code can also be written in PowerShell and makes use of HTTP or ICMP to speak with the C&C server. It really works as depicted in Determine 4.

Determine 4. PowHeartBeat’s functioning


The configuration comprises a number of fields, together with model quantity, non-obligatory proxy configuration, and C&C tackle. Desk 1 describes the meanings of the configuration fields within the completely different variations we have now noticed.

Desk 1. Configuration area meanings

Area identify Description
nouse / ikuyrtydyfg
(different samples)
ClientId Consumer identifier, used for the next functions:
· As a price when establishing the Cookie header for C&C communications.
· As a cryptographic artifact for despatched knowledge encryption.
Model Model variety of PowHeartBeat.
ExecTimes Variety of allowed execution makes an attempt when issuing a RunCmd (command working) command.
UserAgent Person agent used for C&C communications.
Referer Referer header used for C&C communications.
AcceptEncoding Unused.
Values used to assemble the Cookie header for C&C communications.
UrlHttps Protocol to make use of for C&C communications.
URL, area(s), or IP tackle used because the C&C server. If Domains isn’t empty, it’s chosen as a substitute of IPAddress. In different instances, IPAddress is taken.
UrlSendHeartBeat URL path used when the backdoor asks the C&C server for instructions.
UrlSendResult URL path used when the backdoor sends the outcomes of the command again to the C&C server.
GetUrl Full URL, utilized by PowHeartBeat to request instructions from the C&C server. It’s the concatenation of the URL parts above.
PutUrl Identical as GetUrl however used to ship the outcomes of the command again to the C&C server.
currentPath Unused.
ProxyEnableFlag Flag indicating whether or not the backdoor should use a proxy or not with a view to talk with the C&C server.
Proxymsg Tackle of the proxy to make use of if ProxyEnableFlag is ready to $true.
Interval Time in seconds that the script sleeps for between GET requests.
BasicConfigPath Path to an non-obligatory configuration file containing UpTime, DownTime, DefaultInterval, and Domains. These values will probably be overridden if the file is current.
UpTime Time of day from which the backdoor begins working, which means it begins making GET requests to the C&C server.
DownTime Time of day till which the backdoor can function, which means the time when it stops making requests to the C&C server.
DomainIndex Index of the present area identify to make use of for communications with the C&C server. In case a request returns an error message completely different from 304 (“Not modified”), DomainIndex is elevated.
SecretKey Key used to decrypt/encrypt the configuration. Configuration is encrypted with multiple-byte XOR.
IfLog Unused.
IfLogFilePath Flag indicating whether or not logging is enabled.
logpath Path of the log file.
ProxyFile File path of the non-obligatory proxy configuration. Whether it is empty or not discovered within the file system, the backdoor retrieves the person’s proxy settings from the registry worth HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyServer .
IfConfig Flag indicating whether or not to make use of a configuration file.

Determine 5 reveals an instance of the configuration extracted from a PowHeartBeat pattern (SHA-1: 757ABA12D04FD1167528FDD107A441D11CD8C427).

Determine 5. Configuration instance

Knowledge encryption

PowHeartBeat encrypts logs and extra configuration file content material.

Log file content material is encrypted although multiple-byte XOR with a key laid out in cleartext within the pattern. Apparently, clientId is used as a salt for the index into the important thing array. The bottom line is a 256-byte array, which was similar in each pattern that we encountered. Further configuration file content material is encrypted by means of multiple-byte XOR with the worth from SecretKey as its key.

C&C communications

PowHeartBeat used HTTP for C&C communications till model 2.4, after which switched to ICMP. In each case the communication isn’t encrypted.


In an infinite loop, the backdoor sends a GET request to the C&C server, asking for a command to problem. The encrypted reply is decrypted by the backdoor, which processes the command, and writes the command output to a file whose content material is then despatched to the C&C server by way of a POST request.

The format of the GET requests is the next:

Observe that the request is constructed utilizing the eponymous configuration fields.

Within the response from the C&C server, the third byte of the content material is the command identifier that signifies the command to be processed by the backdoor. We’ll name it command_id. The remaining content material of the response will probably be handed as an argument to the command that’s processed. This content material is encrypted with the algorithm proven in Determine 6, taskId being the worth of the cookie named after CookieTaskId‘s worth from the configuration.

Determine 6. Requests content material knowledge encryption algorithm

The response from the C&C server additionally comprises one other cookie, whose identify is specified by the backdoor’s CookieTerminalId configuration variable. The worth of this cookie is repeated within the POST request from the backdoor, and it should not be empty. After executing the backdoor command, PowHeartBeat sends the consequence as a POST request to the C&C server. The result’s despatched as a file whose identify is .png.


Ranging from model 2.4 of PowHeartBeat, HTTP was changed by ICMP, despatched packets having a timeout of six seconds and being unfragmented. Communication by means of ICMP is most definitely a option to evade detection.

There is no such thing as a main change in variations 2.4 and later, however we seen some modifications within the code:

  • PowHeartBeat sends a heartbeat packet at every loop that comprises the string abcdefghijklmnopqrstuvwxyz, earlier than requesting a command. This informs the C&C server that the backdoor is able to obtain instructions.
  • Requests to get instructions carried out by the backdoor comprise the string abcdefghijklmnop.

Heartbeat packets have the format described in Determine 7.

Determine 7. Heartbeat packet structure

The distinction between shopper ID and shopper flag is that shopper ID differs in each pattern whereas shopper flag is similar in each pattern that makes use of ICMP. heartbeat flag signifies that the backdoor is sending a heartbeat. The response from the C&C server has the format described in Determine 8.

Determine 8. C&C server response structure

flag right here signifies whether or not there’s a command to problem to the backdoor. Requests to get instructions have the format described in Determine 9.

Determine 9. Structure for requests to get instructions

Observe that the backdoor’s ICMP mode permits receiving an infinite quantity of information, divided into chunks, and the variables knowledge size, present place and whole size are used to maintain monitor of the transmitted knowledge. Responses to those requests have the format described in Determine 10.

Determine 10. Structure of responses to requests for getting instructions

As in HTTP responses, the command identifier is the third byte of knowledge.

After seven consecutive ICMP replies with empty or inconsistently formatted content material, transfers between the backdoor and C&C server are thought of completed.

In regards to the requests to ship the results of the issued command to the C&C server, server mode is modified for publish mode, and the ultimate string (abcdefghijklmnop) is modified for the consequence knowledge.

Backdoor instructions

PowHeartBeat has numerous capabilities, together with command/course of execution and file manipulation. Desk 2 lists all instructions supported by the assorted analyzed samples.

Desk 2. PowHeartBeat command descriptions

Identify Command Identifier Description
Cmd 0x02 Execute a PowerShell command.
Exe 0x04 Execute a command as a course of.
FileUpload 0x06 Add a file to the sufferer machine. File content material is gzip-compressed.
FileDownLoad 0x08 Obtain a file from the sufferer machine, and return file path, file size, creation time, entry occasions, and file content material to the C&C server.
FileView 0x0A Get file info of a selected listing, particularly:
· Filenames
· File attributes
· Final write occasions
· File contents
FileDelete 0x0C Delete a file.
FileRename 0x0E Rename or transfer a file.
ChangeDir 0x10 Change the present working location of the backdoor.
Data 0x12 Get a class of data based on the desired argument:
· “Primary info”: ClientId, Model, host identify, IP addresses, explorer.exe model and measurement info, OS (structure and flag indicating if the machine is a server), Interval, present listing, drive info (identify, kind, free area and whole measurement), present time
· “Time-Interval info”: Interval and present time
· “Area info”: decrypted configuration file content material
Config 0x14 Replace the configuration file content material and reload the configuration.
N/A 0x63 Backdoor exit.

In case of errors on the backdoor aspect, the backdoor makes use of a selected command identifier 0x00 within the POST request to the C&C server, thus indicating an error occurred.

Observe that earlier than sending the data again to the C&C server, the info is gzip-compressed.

PNGLoad: Steganographic loader

PNGLoad is the second-stage payload deployed by Worok on compromised methods and, based on ESET telemetry, loaded both by CLRLoad or PowHeartBeat. Whereas we don’t see any code in PowHeartBeat that instantly hundreds PNGLoad, the backdoor has the capabilities to obtain and execute extra payloads from the C&C server, which is probably going how the attackers have deployed PNGLoad on methods compromised with PowHeartBeat. PNGLoad is a loader that makes use of bytes from PNG recordsdata to create a payload to execute. It’s a 64-bit .NET executable – obfuscated with .NET Reactor – that masquerades as official software program. For instance, Determine 11 reveals the CLR headers of a pattern masquerading as a WinRAR DLL.

Determine 11. Instance of a pretend WinRAR DLL

As soon as deobfuscated, just one class is current. On this class, there’s a MainPath attribute containing the listing path the backdoor searches, together with its subdirectories, for recordsdata with a .png extension, as proven in Determine 12.

Determine 12. .png file itemizing

Every .png file positioned by this search of MainPath is then checked for steganographically embedded content material. First, the least-significant bit of every pixel’s R (pink), G (inexperienced), B (blue), and A (alpha) values are fetched and assembled right into a buffer. Ought to the primary eight bytes of that buffer match the magic quantity seen in Determine 13 and the subsequent eight-byte worth, management, be non-null, the file passes PNGLoad’s steganographic content material verify. For such recordsdata, processing continues with the rest of the buffer decrypted with a multiple-byte XOR, utilizing the important thing saved in PNGLoad’s SecretKeyBytes attribute, after which the decrypted buffer is gzip-decompressed. The result’s anticipated to be a PowerShell script, which is run instantly.

Determine 13. Format of buffer PNGLoad creates from processing .png recordsdata

Apparently, operations carried out by PNGLoad are logged in a file whose path is saved within the variable LogFilePath. Operations are solely logged if a file is current whose path is specified by the inner variable IfLogFilePath.

We now have not been capable of get hold of a pattern .png file used together with PNGLoad, however the best way PNGLoad operates means that it ought to work with legitimate PNG recordsdata. To cover the malicious payload, Worok makes use of Bitmap objects in C#, which solely take pixel info from recordsdata, not the file metadata. Which means that Worok can conceal its malicious payloads in legitimate, innocuous-looking PNG pictures and thus conceal in plain sight.


Worok is a cyberespionage group that develops its personal instruments, in addition to leveraging current instruments, to compromise its targets. Stealing info from their victims is what we imagine the operators are after as a result of they concentrate on high-profile entities in Asia and Africa, focusing on numerous sectors, each non-public and public, however with a selected emphasis on authorities entities. Exercise occasions and toolset point out potential ties with TA428, however we make this evaluation with low confidence. Their customized toolset contains two loaders – one in C++ and one in C# .NET – and one PowerShell backdoor. Whereas our visibility is proscribed, we hope that shedding gentle on this group will encourage different researchers to share details about this group.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at [email protected]

ESET Analysis now additionally affords non-public APT intelligence stories and knowledge feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.



SHA-1 Filename ESET Detection identify Remark
3A47185D0735CDECF4C7C2299EB18401BFB328D5 script PowerShell/PowHeartBeat.B PowHeartBeat
27ABB54A858AD1C1FF2863913BDA698D184E180D script PowerShell/PowHeartBeat.A PowHeartBeat
678A131A9E932B9436241402D9727AA7D06A87E3 script PowerShell/PowHeartBeat.B PowHeartBeat
757ABA12D04FD1167528FDD107A441D11CD8C427 script PowerShell/PowHeartBeat.B PowHeartBeat
54700A48D934676FC698675B4CA5F712C0373188 script PowerShell/PowHeartBeat.A PowHeartBeat
C2F53C138CB1B87D8FC9253A7088DB30B25389AF script PowerShell/PowHeartBeat.A PowHeartBeat
C2F1954DE11F72A46A4E823DE767210A3743B205 tmp.ps1 PowerShell/PowHeartBeat.B PowHeartBeat
CE430A27DF87A6952D732B4562A7C23BEF4602D1 tmp.ps1 PowerShell/PowHeartBeat.A PowHeartBeat
EDE5AB2B94BA85F28D5EE22656958E4ECD77B6FF script PowerShell/PowHeartBeat.A PowHeartBeat
4721EEBA13535D1EE98654EFCE6B43B778F13126 vix64.dll MSIL/PNGLoader.A PNGLoader.
728A6CB7A150141B4250659CF853F39BFDB7A46C RarExtMgt.dll MSIL/PNGLoader.A PNGLoader.
864E55749D28036704B6EA66555A86527E02AF4A Jsprofile.dll MSIL/PNGLoader.A PNGLoader.
8DA6387F30C584B5FD3694A99EC066784209CA4C vssxml.dll MSIL/PNGLoader.A PNGLoader.
AA60FB4293530FBFF00D200C0D44EEB1A17B1C76 xsec_1_5.dll MSIL/PNGLoader.A PNGLoader.
B2EAEC695DD8BB518C7E24C4F37A08344D6975BE msvbvm80.dll MSIL/PNGLoader.A PNGLoader.
CDB6B1CAFEE098615508F107814179DEAED1EBCF lucenelib.dll MSIL/PNGLoader.A PNGLoader.
4F9A43E6CF37FF20AE96E564C93898FDA6787F7D vsstrace.dll Win64/CLRLoad.C CLRLoad.
F181E87B0CD6AA4575FD51B9F868CA7B27240610 ncrypt.dll Win32/CLRLoad.A CLRLoad.
4CCF0386BDE80C339EFE0CC734CB497E0B08049C ncrypt.dll Win32/CLRLoad.A CLRLoad.
5CFC0D776AF023DCFE8EDED5CADA03C6D7F9C244 wlbsctrl.dll Win64/CLRLoad.E CLRLoad.
05F19EBF6D46576144276090CC113C6AB8CCEC08 wlbsctrl.dll Win32/CLRLoad.A CLRLoad.
A5D548543D3C3037DA67DC0DA47214B2C2B15864 secur32.dll Win64/CLRLoad.H CLRLoad.
CBF42DCAF579AF7E6055237E524C0F30507090F3 dbghelp.dll Win64/CLRLoad.C CLRLoad.

File Paths

Among the MainPath, LogFilePath and IfLogFilePath values that we encountered in PNGLoad samples:

MainPath LogFilePath IfLogFilePath
C:Program FilesVMwareVMware Instruments C:Program FilesVMwareVMware ToolsVMware VGAuthreadme.txt C:Program FilesVMwareVMware ToolsVMware VGAuthVMWSU_V1_1.dll
C:Program FilesWinRar C:Program FilesWinRarrarinstall.log C:Program FilesWinRardes.dat
C:Program FilesUltraViewer C:Program FilesUltraViewer‌CopyRights.dat C:Program FilesUltraVieweruvcr.dll


Area IP
None 118.193.78[.]22
None 118.193.78[.]57[.]company 5.183.101[.]9
central.suhypercloud[.]org 45.77.36[.]243


In CLRLoad samples, the mutex names that we encountered are:


A complete record of Indicators of Compromise (IoCs) and samples may be present in our GitHub repository.

MITRE ATT&CK strategies

This desk was constructed utilizing version 11 of the MITRE ATT&CK framework.

Tactic ID Identify Description
Reconnaissance T1592.002 Collect Sufferer Host Data: Software program PowHeartBeat gathers explorer.exe’s info.
T1592.001 Collect Sufferer Host Data: {Hardware} PowHeartBeat gathers details about drives.
T1590.005 Collect Sufferer Community Data: IP Addresses PowHeartBeat gathers IP addresses of the compromised pc.
Useful resource Growth T1583.004 Purchase Infrastructure: Server Worok makes use of its personal C&C servers.
T1588.002 Receive Capabilities: Device Worok deployed a number of publicly obtainable instruments on the compromised machines.
T1583.001 Purchase Infrastructure: Domains Worok has registered domains to facilitate C&C communication and staging.
T1588.005 Receive Capabilities: Exploits Worok has used the ProxyShell vulnerability.
T1587.001 Develop Capabilities: Malware Worok has developed its personal malware: CLRLoad, PNGLoad, PowHeartBeat.
T1587.003 Develop Capabilities: Digital Certificates Worok has created Let’s Encrypt SSL certificates with a view to allow mutual TLS authentication for malware.
Execution T1059.001 Command and Scripting Interpreter: PowerShell PowHeartBeat is written in PowerShell.
Persistence T1505.003 Server Software program Part: Net Shell Worok makes use of the webshell ReGeorg.
Protection Evasion T1140 Deobfuscate/Decode Information or Data Worok makes use of numerous customized XOR-based schemes to encrypt strings and logs in PowHeartBeat, PNGLoad, and CLRLoad.
T1036.005 Masquerading: Match Respectable Identify or Location PNGLoad samples are deployed in legitimate-looking VMWare directories.
Credential Entry T1003.001 OS Credential Dumping: LSASS Reminiscence Worok makes use of Mimikatz to dump credentials from LSASS reminiscence.
Discovery T1082 System Data Discovery PowHeartBeat gathers OS info.
T1083 File and Listing Discovery PowHeartBeat can record recordsdata and directories.
T1046 Community Service Discovery Worok makes use of NbtScan to acquire community info on compromised machines.
T1124 System Time Discovery PowHeartBeat gathers the sufferer’s time info.
Assortment T1005 Knowledge from Native System PowHeartBeat gathers knowledge from the native system.
T1560.002 Archive Collected Knowledge: Archive by way of Library PowHeartBeat gzip-compresses knowledge earlier than sending it to the C&C server.
Command and Management T1071.001 Software Layer Protocol: Net Protocols Some PowHeartBeat variants use HTTP because the communication protocol with the C&C server.
T1090.001 Proxy: Inside Proxy PowHeartBeat handles proxy configuration on the sufferer’s machine.
T1001.002 Knowledge Obfuscation: Steganography PNGLoad extracts pixel values from .png recordsdata to reconstruct payloads.
T1573.002 Encrypted Channel: Uneven Cryptography PowHeartBeat handles HTTPS communications with the C&C server.
T1095 Non-Software Layer Protocol Some PowHeartBeat variants use ICMP because the communication protocol with the C&C server.
T1132.001 Knowledge Encoding: Commonplace Encoding Worok makes use of XOR encoding in PowHeartBeat, and PNGLoad.
T1132.002 Knowledge Encoding: Non-Commonplace Encoding Worok makes use of XOR encoding algorithms that make use of a further salt.
Exfiltration T1041 Exfiltration Over C2 Channel PowHeartBeat makes use of its C&C communication channel to exfiltrate info.

Posted in SecurityTags:
Write a comment