There has been an emerging APT group detected by security researchers at SentinelOne, code-named WIP19. This APT group’s attacks in the Middle East and Asia where attackers are targeting telecommunications companies and IT companies.
Researchers believed that the group is a Chinese-speaking threat actor that has been active for cyber espionage purposes.
It turns out that this APT and Operation Shadow Force share some similarities. This campaign involves using newly developed malware and techniques devised by threat actors.
Actors Abused Valid Certificates
There are several malicious components that are being signed by WIP19 using stolen certificates to evade detection. One of the defining features of the group is that it uses a stolen digital certificate issued by a company named DEEPSoft, which is a legitimate Korean company.
There is no doubt that almost all of the threats perpetrated by this threat actor were primarily accomplished by using the hands-on keyboard approach. In this instance, a compromised machine has been used during a live interactive session with the attacker.
In order to achieve stealth, the attacker utilized a stable C2 channel for a stealthy method of communicating.
According to the report, WIP19 uses some components developed by WinEggDrop as a part of the attack. Since 2014, WinEggDrop has created malware tools employed by a variety of threat groups.
It must be noted that the stolen certificate was used in the signing of all the tools used by the threat actor to harvest credentials.
Types of Tools Used
This adversarial collective enlists the help of a bespoke set of toolsets in order to mount their intrusions. In short, a number of tools were utilized by the threat actors in the course of their attacks, and here they are mentioned below:-
- Credential dumper
- Network scanner
- Browser stealer
- Keylogger & Screen Recording (ScreenCap)
- ExtendedProcedure SQL (SQLMaggie)
Unlike other hacking tools, SQLMaggie has the ability to penetrate Microsoft SQL servers and run arbitrary commands through SQL queries with ease.
Depending on the type of targeted environment, different versions of the backdoor may be able to execute different commands. Furthermore, it appears that SQLMaggie is either exclusively available to the group or it may also be sold privately.
It is apparent that Chinese espionage is performed in a much broader range of industries, especially critical infrastructure industries when viewed through the lens of WIP19.
Cyber Attack with Zero Trust Networking – Download Free E-Book