A new cyberespionage group has been targeting IT services providers and telecommunications firms with signed malware. The group, dubbed WIP19, shares some similarities with Operation Shadow Force.
The WIP19 group
According to SentinelOne, WIP19 is focused on entities located in the Middle East and Asia. Further, the group has been using stolen certificates to sign malicious components.
- So far, the group has used different malware families such as SQLMaggie backdoor, ScreenCap, and a credential dumper.
- Some of the portions of the backdoor components were created by WinEggDrop, a Chinese-speaking malware author.
- It has been discovered that the group relies on DLL search order hijacking for loading a keylogger and a screen recorder. The keylogger targets the victim’s browser, to harvest credentials and other sensitive details.
Use of stolen certificates
The group has been observed using stolen certificates to sign malicious components.
- The valid certificate used to sign malware was issued to Korean messaging provider DEEPSoft. The same certificate was used to sign genuine software in the past and is, therefore, believed to be stolen by WIP19 for these attacks.
- All of WIP19’s credential harvesting tools were signed using the stolen certificate. This includes a password dumper that is based on an open-source code project used to load an SSP to LSASS and dump the process.
More about the tools
The ScreenCap malware has been linked to the WIP19 that performs a series of checks involving the victim’s machine name. It implies that the malware was tailored for each victim.
- SQLMaggie backdoor seems to be sold privately, as no portions of the code are found publicly.
- The backdoor masqueraded as a genuine DLL to carry out network reconnaissance. This DLL is registered to the MSSQL Server for providing control over the server machine.
- Every version of the backdoor could support different commands according to the targeted environment.
Conclusion
The WIP19 group is suspected to be of Chinese origin due to overlaps with Operation Shadow Force via WinEggDrop, the use of stolen certificates, and similar TTPs. The intrusions involved precision targeting, along with a low volume of attacks. Organizations are suggested to stay protected by staying informed via services like threat intelligence sharing that enables real-time intelligence sharing, giving defenders a distinct advantage over-organized, well-funded adversaries.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_432988318.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/f512_Blog_BlackBasta_V02.jpg)
