WIP19, a new Chinese APT targets IT Service Providers and TelcosSecurity Affairs

Chinese-speaking threat actor, tracked as WIP19, is targeting telecommunications and IT service providers in the Middle East and Asia.

SentinelOne researchers uncovered a new threat cluster, tracked as WIP19, which has been targeting telecommunications and IT service providers in the Middle East and Asia.

The experts believe the group operated for cyber espionage purposes and is a Chinese-speaking threat group.

The researchers pointed out that the cluster has some overlap with Operation Shadow Force, but uses new malware and different techniques.

The activity of the group is characterized by the usage of a legitimate, stolen digital certificate issued by a company called DEEPSoft, that was used to sign malicious code in an attempt to avoid detection.

“Almost all operations performed by the threat actor were completed in a “hands-on keyboard” fashion, during an interactive session with compromised machines. This meant the attacker gave up on a stable C2 channel in exchange for stealth.” reads the report published by SentinelOne.

“Our analysis of the backdoors utilized, in conjunction with pivoting on the certificate, suggest portions of the components used by WIP19 were authored by WinEggDrop, a well-known Chinese-speaking malware author who has created tools for a variety of groups and has been active since 2014.”

The researchers noticed that portions of the malicious components used by WIP19 were developed by a Chinese-speaking group tracked as WinEggDrop, who has been active since 2014.

WIP19 also seems to be linked to the Operation Shadow Force group due to similarities in the use of malicious artifact developed by WinEggDrop and tactical overlaps.

“As the toolset itself appears to be shared among several actors, it is unclear whether this is a new iteration of operation “Shadow Force” or simply a different actor utilizing similar TTPs.” continues the report. “The activity we observed, however, represents a more mature actor, utilizing new malware and techniques.”

The researchers linked an implant dubbed “SQLMaggie”, recently described by DCSO CyTec, to this activity.