At a glance.
- Worok cyberespionage group active in Central Asia and the Middle East.
- Prynt Stealer and the evolution of commodity malware.
- Sharkbot malware reemerged in Google Play.
- BlackCat/ALPHV claims credit for attack on Italian energy sector.
- US military doxed, possibly by Conti remnants.
- Catphishing for target indicators.
- Los Angeles Unified School District hit with ransomware over the weekend.
Worok cyberespionage group active in Central Asia and the Middle East.
ESET has released research into a threat group it's calling "Worok." They characterize it as sophisticated, and while "sophisticated" is thrown around a lot, in this case ESET uses it with some justice. "Worok is a cyberespionage group that develops its own tools, as well as leveraging existing tools, to compromise its targets." The motive is espionage. "Stealing information from their victims is what we believe the operators are after because they focus on high-profile entities in Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities." It's unclear whom Worok is working for, despite some circumstantial overlap with other groups, some of them associated with Beijing. "Activity times and toolset indicate possible ties with TA428, but we make this assessment with low confidence. Their custom toolset includes two loaders – one in C++ and one in C# .NET – and one PowerShell backdoor." And ESET invites contributions from other researchers. "While our visibility is limited, we hope that shedding light on this group will encourage other researchers to share information about this group."