"Novel Spy Group Targets Telecoms in 'Precision-Targeted' Cyberattacks"

A threat actor is targeting telecommunications companies in the Middle East through a cyber espionage campaign similar to those that have targeted such organizations in numerous nations over the past few years. Researchers from SentinelOne who discovered the new campaign identified it as WIP26, a label the company assigns to activity that has not been attributed to a specific threat group. They had observed WIP26 using public cloud infrastructure to distribute malware, store exfiltrated data, and for command-and-control (C2) operations. The security company determined that the threat actor is using the technique to evade detection and make its activity more difficult to detect on compromised networks. The attacks reported by SentinelOne typically began with WhatsApp messages sent to specific persons within target Middle Eastern telecommunications companies. The messages had a link to a Dropbox archive file that contained documents on poverty-related topics relevant to the region. In actuality, it also contained a malware loader. Those tricked into clicking the link had two backdoors installed on their devices. SentinelOne discovered the CMD365 backdoor using a Microsoft 365 Mail client as its C2 and the CMDEmber backdoor using a Google Firebase instance for the same purpose. The security vendor stated that WIP26 used the backdoors to conduct reconnaissance, elevate privileges, and deploy more malware, as well as collect the user's private browsing data, information about high-value devices on the victim's network, and more. This article continues to discuss findings and observations regarding the new WIP26 campaign.

Dark Reading reports "Novel Spy Group Targets Telecoms in 'Precision-Targeted' Cyberattacks"