Cyber Security News

New Chinese APT Hacker Attack IT & Telecom Sectors with Signed Malware

There has been an emerging APT group detected by security researchers at SentinelOne, code-named WIP19. This APT group’s attacks in the Middle East and Asia where attackers are targeting telecommunications companies and IT companies.

Researchers believed that the group is a Chinese-speaking threat actor that has been active for cyber espionage purposes.

It turns out that this APT and Operation Shadow Force share some similarities. This campaign involves using newly developed malware and techniques devised by threat actors.

Actors Abused Valid Certificates

There are several malicious components that are being signed by WIP19 using stolen certificates to evade detection. One of the defining features of the group is that it uses a stolen digital certificate issued by a company named DEEPSoft, which is a legitimate Korean company.

There is no doubt that almost all of the threats perpetrated by this threat actor were primarily accomplished by using the hands-on keyboard approach. In this instance, a compromised machine has been used during a live interactive session with the attacker.

In order to achieve stealth, the attacker utilized a stable C2 channel for a stealthy method of communicating.

According to the report, WIP19 uses some components developed by WinEggDrop as a part of the attack. Since 2014, WinEggDrop has created malware tools employed by a variety of threat groups.

It must be noted that the stolen certificate was used in the signing of all the tools used by the threat actor to harvest credentials.

Types of Tools Used

This adversarial collective enlists the help of a bespoke set of toolsets in order to mount their intrusions. In short, a number of tools were utilized by the threat actors in the course of their attacks, and here they are mentioned below:-

  • Credential dumper
  • Network scanner
  • Browser stealer
  • Keylogger & Screen Recording (ScreenCap)
  • ExtendedProcedure SQL (SQLMaggie)

Unlike other hacking tools, SQLMaggie has the ability to penetrate Microsoft SQL servers and run arbitrary commands through SQL queries with ease.

Depending on the type of targeted environment, different versions of the backdoor may be able to execute different commands. Furthermore, it appears that SQLMaggie is either exclusively available to the group or it may also be sold privately.

It is apparent that Chinese espionage is performed in a much broader range of industries, especially critical infrastructure industries when viewed through the lens of WIP19.

Cyber Attack with Zero Trust Networking – Download Free E-Book

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Palo Alto Networks PAN-OS Zero-day Under Active Attack

In a recent security alert, Palo Alto Networks has disclosed a critical vulnerability within its…

9 hours ago

DuckDuckGo Launches Privacy Pro : 3-In-1 Service With VPN

DuckDuckGo is a search engine that takes users' privacy seriously. It does not track or…

10 hours ago

Wiz to Acquire Gem Security for $350M to Address Cloud Security

Wiz, a leading cloud security company, has announced its acquisition of Gem Security for $350…

15 hours ago

Critical Bitdefender Vulnerabilities Let Attackers Gain Control Over System

Bitdefender GravityZone Update Server (versions 6.36.1, Endpoint Security for Linux 7.0.5.200089, and Endpoint Security for…

15 hours ago

Ukrainian Hackers Hijacked 87,000 Sensors to Shut down Sewage System

Ukrainian hackers have successfully infiltrated and disabled a vast network of industrial sensors and monitoring…

16 hours ago

Zscaler Acquires Airgap Networks to Enhance Zero Trust SASE

Zscaler has announced the acquisition of Airgap Networks, a company renowned for its agentless segmentation…

18 hours ago