A new threat cluster, tracked by SentinelLabs as WIP19, has been targeting telecommunications and IT service providers across the Middle East and Asia.
According to the security experts, the group is characterized by the use of a legitimate, stolen digital certificate issued by DEEPSoft, a Korean company specializing in messaging solutions.
“Throughout this activity, the threat actor abused the certificate to sign several malicious components,” SentinelLabs explained.
“Almost all operations performed by the threat actor were completed in a ‘hands-on keyboard’ fashion during an interactive session with compromised machines. This meant the attacker gave up on a stable C2 channel in exchange for stealth.”
The SentinelLabs analyses of the backdoors utilized also suggested parts of the components used by WIP19 were created by WinEggDrop, a well-known Chinese-speaking malware author who has developed tools for various groups and been active since 2014.
“The use of WinEggDrop-authored malware, stolen certificates and correlating TTPs [tactics, techniques and procedures] indicate possible links to Operation Shadow Force, as reported by TrendMicro and AhnLab,” SentinelLabs explained.
“As the toolset itself appears to be shared among several actors, it is unclear whether this is a new iteration of operation ‘Shadow Force’ or simply a different actor utilizing similar TTPs. The activity we observed, however, represents a more mature actor, utilizing new malware and techniques.”
Additionally, SentinelLabs linked an implant dubbed “SQLMaggie,” recently described by DCSO CyTec, to WIP19’s latest activity.
“SQLMaggie appears to be actively maintained and provides insights into the development timeline with hardcoded version names.”
Because of its advanced TTPs, SentinelLabs warned that WIP19 is an example of the greater breadth of Chinese espionage activity targeting critical infrastructure organizations.
“The existence of reliable quartermasters and common developers enables a landscape of hard-to-identify threat groups that are using similar tooling, making threat clusters difficult to distinguish from the defenders’ point of view,” the team wrote.
“We hope this report helps move the needle forward in the effort to continue identifying threat groups engaged in spying on industries critical to society.”
China-based threat actors were also under the spotlight last week when Meta said it was suing three developers for allegedly tricking users into downloading fake versions of the app that harvested their login details.