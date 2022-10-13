Infosecurity Group Websites
Latest
News

Chinese APT WIP19 Targets IT Service Providers and Telcos

A new threat cluster, tracked by SentinelLabs as WIP19, has been targeting telecommunications and IT service providers across the Middle East and Asia.

According to the security experts, the group is characterized by the use of a legitimate, stolen digital certificate issued by DEEPSoft, a Korean company specializing in messaging solutions. 

"Throughout this activity, the threat actor abused the certificate to sign several malicious components," SentinelLabs explained.

"Almost all operations performed by the threat actor were completed in a 'hands-on keyboard' fashion during an interactive session with compromised machines. This meant the attacker gave up on a stable C2 channel in exchange for stealth."

The SentinelLabs analyses of the backdoors utilized also suggested parts of the components used by WIP19 were created by WinEggDrop, a well-known Chinese-speaking malware author who has developed tools for various groups and been active since 2014.

"The use of WinEggDrop-authored malware, stolen certificates and correlating TTPs [tactics, techniques and procedures] indicate possible links to Operation Shadow Force, as reported by TrendMicro and AhnLab," SentinelLabs explained.

"As the toolset itself appears to be shared among several actors, it is unclear whether this is a new iteration of operation 'Shadow Force' or simply a different actor utilizing similar TTPs. The activity we observed, however, represents a more mature actor, utilizing new malware and techniques."

Additionally, SentinelLabs linked an implant dubbed "SQLMaggie," recently described by DCSO CyTec, to WIP19's latest activity. 

"SQLMaggie appears to be actively maintained and provides insights into the development timeline with hardcoded version names."

Because of its advanced TTPs, SentinelLabs warned that WIP19 is an example of the greater breadth of Chinese espionage activity targeting critical infrastructure organizations.

"The existence of reliable quartermasters and common developers enables a landscape of hard-to-identify threat groups that are using similar tooling, making threat clusters difficult to distinguish from the defenders' point of view," the team wrote.

"We hope this report helps move the needle forward in the effort to continue identifying threat groups engaged in spying on industries critical to society."

China-based threat actors were also under the spotlight last week when Meta said it was suing three developers for allegedly tricking users into downloading fake versions of the app that harvested their login details.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

New PrintNightmare Patch Can Be Bypassed, Say Researchers

2
News

Cybercrime Costs Organizations Nearly $1.79 Million Per Minute

3
News

CTOs Keeping Quiet on Breaches to Avoid Cyber Blame Game

4
News

Over 170 Scam Cryptomining Apps Charge for Non-Existent Services

5
News

Most Insider Data Breaches Aren't Malicious

6
News

Kremlin Hackers Reportedly Breached Republican National Committee

1
News

Chinese APT WIP19 Targets IT Service Providers and Telcos

2
News

Malicious WhatsApp Mod Spotted Infecting Android Devices

3
News

Budworm Espionage Group Returns, Targets US State Legislature

4
News

IP Cameras, VoIP and Video Conferencing Revealed as Riskiest IoT Devices

5
News

UK Government Urges Action to Enhance Supply Chain Security

6
News

#DTX2022: Cyber Needs to Redress the Defensive-Offensive Balance Following Russia-Ukraine

1
Webinar

Overcoming 'Shadow IT' Need and Risk

2
Webinar

How to Rethink End-User Protection and Eliminate Phishing and Ransomware

3
Webinar

Machine ID Management and Digital Transformation: Building a Secure Future

4
Webinar

New Strategies for Managing Machine Identities

5
Webinar

Third-Party Vulnerabilities: Demystifying the Unknown

6
Webinar

Defining the Zero Trust and SASE Relationship

1
Podcast

IntoSecurity Chats, Episode 8: Brian Honan, brought to you by HP

2
News

#BHUSA: Russia's Wiper Attacks Against Ukraine Detailed

3
Blog

Hello From Your New Editor

4
News

#BHUSA: The Cyber Safety Review Board Outlines Log4j Lessons

5
News

#DEFCON: How Sanctions Impact Internet Operators

6
News

Luckymouse Uses Compromised MiMi Chat App to Target Windows and Linux Systems