![]() ![]() The DLL files help us to identify two Windows services, namely IKE and AuthIP IPsec Keying Modules (IKEEXT) and Remote Desktop Configuration (SessionEnv). Therefore, the initial process is SvcHost introducing a Windows service. The mutual process that executes the DLLs is svchost -k netsvcs. This process tree was observed for WLBSCTRL.DLL, TSMSISrv.DLL, and TSVIPSrv.DLL. So, the final compromise chain is straightforward: the first stage is CLRLoader which implements a simple code that loads the next stage ( PNGLoader), as reported by ESET. The attackers then used publicly available exploit tools to deploy their custom malicious kits. In some corner cases, exploits against the ProxyShell vulnerabilities were used for persistence in the victim’s network. In some cases, the malware is supposedly deployed by attackers via ProxyShell vulnerabilities. However, we have a few new observations that can be part of an infiltrating process.įigure 1 illustrates the original compromise chain described by ESET. Our research also has not discovered the whole initial compromise of the malware. We intend to remain consistent with the terminology set by ESET’s research. ![]() What is noteworthy is data collection from victims’ machines using DropBox repository, as well as attackers using DropBox API for communication with the final stage. The PNG files captured by our telemetry confirm that the purpose of the final payload embedded in these is data stealing. We have captured additional artifacts related to Worok at the end of the execution chain. Our analysis aims to extend the current knowledge of ESET research. Detailed information about Worok, chains, and backdoor commands can be found in the ESET’s article Worok: The big picture. However, the final payload has not been recovered yet. The initial compromise is unknown, but the next stages are described in detail, including describing how the final payload is loaded and extracted via steganography from PNG files. The researchers from ESET described two execution chains and how victims’ computers are compromised. Nevertheless, when Worok became active again, new targeted victims – including energy companies in Central Asia and public sector entities in Southeast Asia – were infected to steal data based on the types of the attacked companies. ESET monitored a significant break in activity from to the beginning of 2022. The tools, active since at least 2020 are designed to steal data. Our fellow researchers from ESET published an article about previously undocumented tools infiltrating high-profile companies and local governments in Asia. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |