2022-09-06 Worok The big picture

📃Title: Worok: The big picture
📅Date: 2022-09-06
🔗References:

• https://www.welivesecurity.com/2022/09/06/worok-big-picture/

🔖Rectifyq Taxonomies:

• relevancy: 🟡 Somewhat Relevant
• category: ⚔Threat
• sub-category: TA-profile
• target: targeted
• MY-relevancy: somewhat-relevant

🔖MISP Galaxies:

• producer ESET
• region=“018 - Southern Africa”
• region=“030 - Eastern Asia”
• region=“035 - South-eastern Asia”
• sector=“Bank”
• sector=“Energy”
• sector=“Government, Administration”
• sector=“Maritime”
• sector=“Telecoms”
• threat-actor TA428
• threat-actor Worok
• mitre-attack-pattern=[‘T1560.002’, ‘T1573.002’, ‘T1005’, ‘T1140’, ‘T1587.003’, ‘T1583.001’, ‘T1041’, ‘T1588.005’, ‘T1083’, ‘T1592.001’, ‘T1590.005’, ‘T1090.001’, ‘T1003.001’, ‘T1587.001’, ‘T1036.005’, ‘T1046’, ‘T1095’, ‘T1132.002’, ‘T1059.001’, ‘T1583.004’, ‘T1592.002’, ‘T1132.001’, ‘T1001.002’, ‘T1082’, ‘T1124’, ‘T1588.002’, ‘T1071.001’, ‘T1505.003’]

MISP event uuid: e60b03e4-6fdb-44a6-b237-da64fc86ec53

Indicator of Compromise (IoCs)

type,value,comment
sha1, 757aba12d04fd1167528fdd107a441d11cd8c427, 'PowHeartBeat 2.1.3.0003. No sample in VT\r\nLast check:09/05/2025'
sha1, 3a47185d0735cdecf4c7c2299eb18401bfb328d5, 'PowHeartBeat 2.4.3.0003. No sample in VT\r\nLast check:09/05/2025'
sha1, 27abb54a858ad1c1ff2863913bda698d184e180d, 'PowHeartBeat 2.4.3.0003. No sample in VT\r\nLast check:09/05/2025'
sha1, 678a131a9e932b9436241402d9727aa7d06a87e3, 'PowHeartBeat 2.4.3.0003. No sample in VT\r\nLast check:09/05/2025'
sha1, 54700a48d934676fc698675b4ca5f712c0373188, 'PowHeartBeat 1.1.3.0002. No sample in VT\r\nLast check:09/05/2025'
sha1, c2f53c138cb1b87d8fc9253a7088db30b25389af, 'PowHeartBeat 1.1.3.0002. No sample in VT\r\nLast check:09/05/2025'
sha1, c2f1954de11f72a46a4e823de767210a3743b205, 'PowHeartBeat 2.4.3.0004. No sample in VT\r\nLast check:09/05/2025'
sha1, ce430a27df87a6952d732b4562a7c23bef4602d1, 'PowHeartBeat 2.1.3.0004. No sample in VT\r\nLast check:09/05/2025'
sha1, ede5ab2b94ba85f28d5ee22656958e4ecd77b6ff, 'PowHeartBeat 2.4.3.0003. No sample in VT\r\nLast check:09/05/2025'
sha1, 4721eeba13535d1ee98654efce6b43b778f13126, 'PNGLoader No sample in VT\r\nLast check:09/05/2025'
sha1, 728a6cb7a150141b4250659cf853f39bfdb7a46c, 'PNGLoader No sample in VT\r\nLast check:09/05/2025'
sha1, 864e55749d28036704b6ea66555a86527e02af4a, 'PNGLoader No sample in VT\r\nLast check:09/05/2025'
sha1, 8da6387f30c584b5fd3694a99ec066784209ca4c, 'PNGLoader No sample in VT\r\nLast check:09/05/2025'
sha1, aa60fb4293530fbff00d200c0d44eeb1a17b1c76, 'PNGLoader No sample in VT\r\nLast check:09/05/2025'
sha1, cdb6b1cafee098615508f107814179deaed1ebcf, 'PNGLoader No sample in VT\r\nLast check:09/05/2025'
sha1, 4f9a43e6cf37ff20ae96e564c93898fda6787f7d, 'CLRLoad No sample in VT\r\nLast check:09/05/2025'
sha1, f181e87b0cd6aa4575fd51b9f868ca7b27240610, 'CLRLoad No sample in VT\r\nLast check:09/05/2025'
sha1, 4ccf0386bde80c339efe0cc734cb497e0b08049c, 'CLRLoad No sample in VT\r\nLast check:09/05/2025'
sha1, 5cfc0d776af023dcfe8eded5cada03c6d7f9c244, 'CLRLoad No sample in VT\r\nLast check:09/05/2025'
sha1, 05f19ebf6d46576144276090cc113c6ab8ccec08, 'CLRLoad No sample in VT\r\nLast check:09/05/2025'
sha1, a5d548543d3c3037da67dc0da47214b2c2b15864, 'CLRLoad No sample in VT\r\nLast check:09/05/2025'
sha1, cbf42dcaf579af7e6055237e524c0f30507090f3, 'CLRLoad No sample in VT\r\nLast check:09/05/2025'
ip-dst, 118.193.78.22, ''
ip-dst, 118.193.78.57, ''
hostname, airplane.travel-commercials.agency, ''
ip-dst, 5.183.101.9, ''
hostname, central.suhypercloud.org, ''
ip-dst, 45.77.36.243, ''

Full IOCs available in Rectifyq's MISP```