Researchers have identified a cluster of cyber activities, dubbed WIP26, targeting telecommunication providers in the Middle East. The peculiar thing about this set of activities is the heavy reliance on public cloud infrastructure, including Microsoft Azure, Microsoft 365 Mail, Google Firebase, and Dropbox for data exfiltration, malware delivery, and C2.
The WIP26 campaign
A collaborative study of the malware and infrastructure used by WIP26 states that it is an intelligence-gathering mission with adversaries attempting to use network traffic from legitimate cloud services and hide behind it.
- The attack begins with a WhatsApp message sent to employees of the targeted organization.
- This message contains a Dropbox link to an archive file, pretending to be a document about poverty-related issues in the Middle East.
- The archive carries the said document and a malware loader (PDFelement.exe) masquerading as the PDFelement application.
- This loader is designed to drop custom-built backdoors including CMD365 and CMDEmber.
About the backdoors
Researchers detected several CMD365 or CMDEmber samples that abuse Google Firebase and Microsoft 365 Mail for C2, and execute the commands received from the attackers on the compromised system.
- CMD365 is a .NET executable (named Update.exe) that pretends to be a genuine Postman application. It creates a scheduled task on the infected system to ensure persistence. Additionally, it is capable of data exfiltration, privilege escalation, reconnaissance, and staging additional malware.
- CMDEmber, another .NET executable (named Launcher.exe) masquerades as the Opera browser. It uses the open-source Firebase library to interact with Google Firebase instances via HTTP requests.
- It steals the private browser data and reconnaissance information of the chosen high-value hosts. This data is transmitted to the Azure instances controlled by targets via PowerShell commands.
Ending notes
Espionage attacks on Middle Eastern organizations are not new. However, what sets this one apart is the heavy use of public cloud infrastructure by WIP26, which indicates that they want to carry out attacks without raising any red flags. For protection against such sophisticated attacks, researchers suggest keeping yourself updated with the latest cyber activities across the sector and leveraging a threat intelligence platform that caters to your need.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_93868189.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/e7ec_shutterstock_565063075.jpg)
