"New Chinese Cyberespionage Group WIP19 Targets Telcos, IT Service Providers"

According to researchers at SentinelOne, a newly identified cyberespionage group operating out of China has been targeting IT services providers and telecommunications companies with signed malware.  The activities of this advanced persistent threat (APT), which the researchers track as WIP19, show overlaps with Operation Shadow Force, but it is unclear whether this is a new iteration of the campaign or the work of a different, more mature adversary using new malware and techniques.  The researchers stated that WIP19 is mainly focused on entities in the Middle East and Asia and is using stolen certificates to sign several malicious components.  To date, the group was observed using malware families such as ScreenCap, SQLMaggie, and a credential dumper.  The researchers stated that their analysis of the backdoors utilized, in conjunction with pivoting on the certificate, suggest portions of the components used by WIP19 were authored by WinEggDrop, a well-known Chinese-speaking malware author who has created tools for a variety of groups and has been active since 2014.  The researchers noted that the valid certificate that WIP19 has been using to sign its malware was issued to Korean messaging provider DEEPSoft Co. and was likely stolen by the threat actor, given that it was also used to sign legitimate software in the past.  According to the researchers, all of the threat actor’s credential harvesting tools were signed using the stolen certificate, including a password dumper relying on open-source code to load an SSP to LSASS and dump the process.  The researchers have also observed WIP19 relying on DLL search order hijacking to load a keylogger and a screen recorder.  The keylogger mainly targets the victim’s browser to harvest credentials and other sensitive information.  The ScreenCap malware attributed to the APT performs a series of checks that involve the victim’s machine name, which suggests that it was specifically tailored for each victim.  The researchers noted that in attacks employing SQLMaggie, the backdoor was seen masquerading as a legitimate DLL that is registered to the MSSQL Server to provide the attackers with control over the server machine to perform network reconnaissance.

SecurityWeek reports: "New Chinese Cyberespionage Group WIP19 Targets Telcos, IT Service Providers"