Worok: A cyber espionage group that specifically targets Asian entities

ESET researchers have discovered a new attack group, Worok, which has been active since 2020. The toolset used by Worok includes a C++
A loader written in CLRLoad, a backdoor written in PowerShell called PowHeartBeat, and a loader written in C#
PNGLoad, the attacker uses steganography to extract the payload hidden in the PNG file.

Worok

During the ProxyShell (CVE-2021-34523) vulnerability disclosure in early 2021, researchers discovered exploitation campaigns by various APT groups. Which was found to be related to TA428
Organize similar characteristics:

Activity time

Target Industry

How to use ShadowPad

But the rest of the toolset is quite different, so analysts concluded there was insufficient evidence that Worok had the same affiliation as TA428, identifying it as a new attack group. According to telemetry data from ESET, Worok
It has been active since late 2020.

At the end of 2020, Worok targeted governments and companies in multiple countries for attacks, specifically:

A telecommunications company in East Asia

A bank in Central Asia

A shipping company in Southeast Asia

A government unit in the Middle East

A private company in South Africa

From May 2021 to January 2022, the attackers entered a quiet period. Worok resurfaced in February 2022, attacking:

An energy company in Central Asia

A public sector company in Southeast Asia

The image below shows a visualization of the impact of the attack:

Attack map

Based on their analysis, researchers believe Worok’s main goal was to steal secrets.

Technical Analysis

The attacker will exploit the ProxyShell vulnerability and successfully upload the Webshell for persistence and subsequent attack stages.

After gaining access, the attacker deployed several publicly available reconnaissance tools such as Mimikatz, EarthWorm, ReGeorg, and NBTscan. The subsequent two-stage attack will then be deployed
payload, but the final attack payload was not discovered. In 2021, the first stage loader is CLRLoad, while in 2022 it has been replaced by the fully functional
PowerShell backdoor replaced by PowHeartBeat.

The execution chain looks like this:

Two execution chains

CLLRoad

CLRLoad is a Loader written in C++ that loads the next stage PNGLoad sample. This sample is a DLL file with 32-bit and 64-bit
Two versions. Samples are also loaded through files in legitimate directories and used to appear as legitimate software.

The CLRLoad sample looks for the full path to the file, the path is single-byte XOR encoded, and a different key is used in each sample. Part of the path is as follows:

C:\Program Files\VMware\VMware Tools\VMware VGAuth\xsec_1_5.dll

C:\Program Files\UltraViewer\msvbvm80.dll

C:\Program Files\Internet Explorer\Jsprofile.dll

C:\Program Files\WinRar\RarExtMgt.dll

C:\Program Files (x86)\Foxit Software\Foxit Reader\lucenelib.dll

A mutex used by the sample is named Wo0r0KGWhYGO, so it is named Worok.

PowHeartBeat

PowHeartBeat is a full-featured backdoor written in PowerShell that is obfuscated using compression, encoding, and encryption. According to ESET
Telemetry data, PowHeartBeat recently replaced CLRLoad as the tool used to launch PNGLoad.

The first layer of code consists of multiple blocks of base64-encoded PowerShell code, which is reorganized into Payloda and passed through IEX
implement. After decoding, another layer of obfuscated code is executed, as shown below:

PowerShell
code

The second layer first decodes the next layer of its code using base64 and then decrypts it using the Triple DES algorithm in CBC mode. After decryption, use the gzip algorithm to decompress and obtain
The third layer of code in PowerShell is the real backdoor code.

The backdoor uses HTTP or ICMP protocols to communicate with the C &C server. The principle is as follows:

How it works

Configuration

There are a number of optional fields in the configuration, as follows:

Field name	Description
nouse	Not used
ClientId	Client ID
Version	Version number
ExecTimes	Number of command execution attempts
UserAgent	User-Agent for C &C communication
Referer	Referer for C &C communication
AcceptEncoding	Not used
CookieClientId/CookieTaskId/CookieTerminalId	For C & amp; Cookies for C communication
UrlHttps	Protocol for C &C communication
UrlDomain/IPAddress/Domains	Addresses used for C &C communication
UrlSendHeartBeat	Used for C & URL path for C communication
UrlSendResult	URL path for C &C communication
GetUrl	Full URL
PutUrl	Full URL
currentPath	Not used
ProxyEnableFlag	Whether to enable the proxy
Proxymsg	Proxy address
Interval	Request interval
BasicConfigPath	Basic configuration path
UpTime	Start running time
DownTime	Downtime
DomainIndex	Current domain name used for C &C communications
SecretKey	Key used for encryption and decryption
IfLog	Not used
IfLogFilePath	Whether to enable logging
logpath	Log file path
ProxyFile	Proxy configuration file path
IfConfig	Whether to enable the configuration file

The extracted configuration from the PowHeartBeat sample looks like this:

$Script:nouse = 100;if(Test-Path $MyInvocation.MyCommand.Path){Remove-item $MyInvocation.MyCommand.Path -Force;}$Script:ClientId = "83";$Script:Version = "2.1.3.0003";$Script:ExecTimes = 10;$Script:UserAgent = "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3487.100 Safari/537.36";$Script :Referer = "www.adobe.com";$Script:AcceptEncoding = "text/html,app1ication/xhtml + xml,app1ication/xml;q=0.9,*/*;q=0.8";$Script:CookieClientId = " s_ecid";$Script:CookieTaskId = "aam_uuid";$Script:CookieTerminalId = "AAMC_adobe_0";?$Script:UrlHttps = "http://";$Script:UrlDomain= " 118.193.78[.]22:443" ;$Script:UrlSendHeartBeat = "/latest/AdobeMessagingClient.js";$Script:UrlSendResult = "/content/dam/offers-homepage/homepage.jpg";$Script:GetUrl = $Script:UrlHttps + $Script:UrlDomain + $Script:UrlSendHeartBeat;$Script:PutUrl = $Script:UrlHttps + $Script:UrlDomain + $Script:UrlSendResult;$Script:currentPath = Split-Path -Parent $MyInvocation.MyCommand.Definition;$Script:ProxyEnableFlag = $false; $Script:Proxymsg;$Script:Interval = 10;$Script:BasicConfigPath = "C:\ProgramData\unins.dat";$Script:UpTime = 0;$Script:DownTime = 24;$Script:Domains;$Script: DomainIndex;$Script:SecretKey = "###ConfigKey###";#$Script:IfLog = $true;$Script:IfLogFilePath = "C:\ProgramData\tpncp.dat";$Script:logpath = "C: \ProgramData\unins000.dat";$Script:ProxyFile = "C:\ProgramData\hwrenalm.dat";$Script:IfConfig = $false;?

C &C Communications

PowHeartBeat used HTTP for C & C communications before version 2.4, then switched to ICMP, both of which were unencrypted.

HTTP

The format of a GET request is as follows:

GET <UrlSendHeartBeat> HTTP/1.1User-Agent: <UserAgent>Referer: <Referer>Host: <Domain>Cookie: <CookieClientId>=<ClientId>Connection: close?

The command to be executed is provided in the response through command_id. The encryption algorithm is as follows:

o[int] $pos = $taskId % 256;for ($i = 0; $i -lt $tmpBytes.Value.Length; $i + + ){$pos = $pos + $clientId;if ( $pos -ge 256){$pos = $pos % 256;}$tmpBytes.Value[$i] = [byte]($tmpBytes.Value[$i] -bxor $hexEnc[$pos]);}

ICMP

Starting with version 2.4 of PowHeartBeat, HTTP was replaced by ICMP, possibly as a way to evade detection.

The updated code has some minor modifications:

Before requesting a command, PowHeartBeat will send a heartbeat packet containing the string abcdefghijklmnopqrstuvwxyz in each loop to inform C &C
The server is ready to receive commands

The request to obtain the backdoor execution command contains the string abcdefghijklmnop

The heartbeat packet is as follows:

Heartbeat package layout

The difference between Client ID and Client Flag is that the Client ID of each sample is different, and Client Flag
It’s the same in every sample. Heartbeat Flag indicates that the backdoor is sending heartbeat packets. The response looks like this:

Responsive layout

The Flag here indicates whether a command has been issued. The request to obtain the command is as follows:

Get the requested layout of the command

ICMP communication allows the backdoor to receive unlimited data, and the response to the request looks like this:

Get the response layout of the command

Like the HTTP response, the third byte in data is the command identifier.

C &C communication is considered complete after seven consecutive ICMP responses with empty or inconsistently formatted content.

Backdoor commands

PowHeartBeat has a variety of functions, and the supported commands are as follows:

Command	Identifier	Description
Cmd	0x02	Execute PowerShell command
Exe	0x04	Execute program
FileUpload	0x06	Compress and upload files to the compromised host
FileDownLoad	0x08	Download files on the compromised host
FileView	0x0A	Get file information of a specific directory
FileDelete	0x0C	Delete files
FileRename	0x0E	Rename/Move File
ChangeDir	0x10	Change working directory
Info	0x12	Get information about the compromised host
Config	0x14	Update configuration file and reload
N/A	0x63	Program exit

If an execution error occurs, the backdoor uses the specific command identifier 0x00 in a POST request to the C &C server.

PNGLoad

The second-stage payload is PNGLoad, which downloads and executes additional payloads from the C &C server through the backdoor PowHeartBeat. PNGLoad is a Loader that uses
bytes in the PNG file to create the payload to be executed.

The file is a 64-bit .NET executable and uses .NET
Reactor is obfuscated and disguised as a WinRAR DLL file.

Fake file information

Deobfuscation revealed that the file only had one class and had a MainPath property containing the directory path that the backdoor searched for files with the extension .png, as shown below.

.png
File List

Steganographic embedded content in each .png file found by this MainPath search. Use SecretKeyBytes stored in PNGLoad
attribute, perform a multibyte XOR decryption of the remainder of the buffer, and then gzip the decrypted buffer. What you get should be a PowerShell script that will be executed immediately.

Image steganography

The operations performed by PNGLoad are logged in a file whose path is stored in the variable LogFilePath. Only if its path exists by internal variable IfLogFilePath
The operation will be recorded only when the file is specified.

Due to limited view of the data, the researchers were unable to obtain sample .png files for use with PNGLoad. Attackers hide malicious payloads in harmless-looking PNGs
In the picture, the malicious content is hidden in plain sight.

Summary

Worok is an attack group that can develop its own attack tools to invade targets. The attackers focus on launching attacks on government departments in Asia and Africa. Judging from the time and tool set of the attack, it may be related to TA428
There is a link, but there is no reliable evidence for it.

IOC

ce1f6a25c0f5fbe1ee4616fe4bcdee30
8c09b80f28f444574719b5ff53ac4394
d3cdd49a55f062af46b8375ca3be9462
2cd5c4608e165e5e4f11dc00398913ed
017e8d89d7bab7f6f5cac0067faf69e7
aaa66fb6194f1c90be7519977d56945a
6d0deb9181031a75990867c1597aa01a
333cce11f50adff79ea193019d8f8905
8a043a6bf7dee520d05680a35db6c399
1cd36decbc8daf047501e5721558e2b7
37aa47031adac4de609650d7ae307145
e60da077ee9e2217feafa524b9ce522a
64f73627d91efe1a46e916c3095e7aa6
2aa84d8672fd472e6c206d80a56743ff
047cb0a376094509219c9f56359f92b9
072a94adb5db5b4717573d1a4874fa65
e4b34594383fa2ee452e55176f21571e
da1e5e96b8ad75580f7544639d9e46f2
d0893703f0f1ec10e59efff775044b6b
0c2ed7015a90cd1652cb172f6d03e214
2403cccd6a27437a9aa8f31af8b537c0
78E6BF7726C03F240A3A69FAE222BFBA
12F62B96F9F42BB484CE3DE5786D5999
118.193.78.22
118.193.78.57
5.183.101.9
45.77.36.243
airplane.travel-commercials.agency
central.suhypercloud.org

Reference sources

ESET

12F62B96F9F42BB484CE3DE5786D5999
118.193.78.22
118.193.78.57
5.183.101.9
45.77.36.243
airplane.travel-commercials.agency
central.suhypercloud.org

Reference sources

ESET

Digression

Many people who are new to the computer industry or graduates of computer-related majors from universities encounter difficulties in finding employment due to lack of practical experience. Let’s look at two sets of data:

The number of college graduates nationwide in 2023 is expected to reach 11.58 million, and the employment situation is grim;

Data released during the National Cyber Security Awareness Week show that by 2027, the shortage of cyber security personnel in our country will reach 3.27 million.

On the one hand, the employment situation for fresh graduates is grim every year, and on the other hand, there is a shortage of one million cybersecurity talents.

On June 9, Max Research’s 2023 Employment Blue Book (including the “2023 China Undergraduate Employment Report” and “2023 China Higher Vocational Students Employment Report”) was officially released.

The top 10 majors with the highest monthly income for college graduates in 2022

Undergraduate computer majors and higher vocational automation majors have higher monthly incomes. The monthly incomes of the 2022 undergraduate computer majors and higher vocational automation majors are 6,863 yuan and 5,339 yuan respectively. Among them, the starting salary of undergraduate computer majors is basically the same as that of the 2021 class, and the monthly income of higher vocational automation majors has increased significantly. The 2022 class overtook the railway transportation major (5,295 yuan) to rank first.

Looking at the major specifically, the major with the highest monthly income for the 2022 undergraduate class is information security (7,579 yuan). Compared with the class of 2018, undergraduate majors related to artificial intelligence such as electronic science and technology and automation performed well, with starting salaries increasing by 19% compared to five years ago. Although data science and big data technology are new majors in recent years, they have performed well and have ranked among the top three majors with the highest monthly income for 2022 undergraduate graduates six months after graduation. French, the only humanities and social sciences major that entered the top 10 highest-paying undergraduates five years ago, has dropped out of the top 10.

“There is no national security without cybersecurity.” At present, network security has been elevated to the level of national strategy and has become one of the most important factors affecting national security and social stability.

Characteristics of the network security industry

1. The employment salary is very high and the salary increases quickly. In 2022, Liepin.com announced that the employment salary in the network security industry is the highest in the industry at 337,700 per capita!

2. There is a large talent gap and many employment opportunities

On September 18, 2019, the official website of the “Central People’s Government of the People’s Republic of China” published: my country’s demand for cyberspace security talents is 1.4 million, but major schools across the country train less than 1.50,000 people every year. Liepin.com’s “Cybersecurity Report for the First Half of 2021” predicts that the demand for network security talents in 2027 will be 3 million. Currently, there are only 100,000 employees engaged in the network security industry.

The industry has huge room for development and there are many jobs

Since the establishment of the network security industry, dozens of new network security industry positions have been added: network security experts, network security analysts, security consultants, network security engineers, security architects, security operation and maintenance engineers, penetration engineers, information security management Officer, data security engineer, network security operations engineer, network security emergency response engineer, data appraiser, network security product manager, network security service engineer, network security trainer, network security auditor, threat intelligence analysis engineer, disaster recovery professional , Practical attack and defense professionals…

Great career value-added potential

The network security major has strong technical characteristics, especially mastering the core network architecture and security technologies at work, which has an irreplaceable competitive advantage in career development.

As personal abilities continue to improve, the professional value of the work they do will also increase with the enrichment of their experience and the maturity of project operations, and the room for appreciation will continue to increase. This is the main reason why it is popular with everyone.

To a certain extent, in the field of network security, just like the medical profession, the older you get, the more popular you become. Because the technology becomes more mature, your work will naturally be taken seriously, and promotion and salary increases will come naturally.

Hacking & Cyber Security How to Learn

As long as you like my article today, my private network security learning materials will be shared with you for free. Come and see what is available.

1. Learning roadmap

The industry has huge room for development and there are many jobs

Great career value-added potential

Hacking & Cyber Security How to Learn

As long as you like my article today, my private network security learning materials will be shared with you for free. Come and see what is available.

1. Learning roadmap

There are a lot of things to learn about attack and defense. I have written down the specific things you need to learn in the road map above. If you can complete them, you will have no problem getting a job or taking on a private job.

2. Video tutorial

Although there are many learning resources on the Internet, they are basically incomplete. This is an Internet security video tutorial I recorded myself. I have accompanying video explanations for every knowledge point in the roadmap above.

The content covers the study of network security laws, network security operations and other security assessments, penetration testing basics, detailed explanations of vulnerabilities, basic computer knowledge, etc. They are all must-know learning contents for getting started with network security.

(They are all packaged into one piece and cannot be expanded one by one. There are more than 300 episodes in total)

Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it.

If you are interested in getting started with network security, you can click here if you need it Big benefits of network security: Getting started & advanced full set of 282G learning resource package to share for free!

3. Technical documents and e-books

I also compiled the technical documents myself, including my experience and technical points in participating in large-scale network security operations, CTF, and digging SRC vulnerabilities. There are more than 200 e-books. Due to the sensitivity of the content, I will not display them one by one.

Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it.

4. Toolkit, interview questions and source code

“If you want to do your job well, you must first sharpen your tools.” I have summarized dozens of the most popular hacking tools for everyone. The scope of coverage mainly focuses on information collection, Android hacking tools, automation tools, phishing, etc. Interested students should not miss it.

There is also the case source code and corresponding toolkit mentioned in my video, which you can take away if needed.

Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it.
If you are interested in getting started with network security, you can click here if you need it Big benefits of network security: Getting started & advanced full set of 282G learning resource package to share for free!

Finally, here are the interview questions about network security that I have compiled over the past few years. If you are looking for a job in network security, they will definitely help you a lot.

These questions are often encountered when interviewing Sangfor, Qi Anxin, Tencent or other major companies. If you have good questions or good insights, please share them.

Reference analysis: Sangfor official website, Qi’anxin official website, Freebuf, csdn, etc.

Content features: Clear organization and graphical representation to make it easier to understand.

Summary of content: Including intranet, operating system, protocol, penetration testing, security service, vulnerability, injection, XSS, CSRF, SSRF, file upload, file download, file inclusion, XXE, logical vulnerability, tools, SQLmap, NMAP, BP, MSF…

Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it.