Select Page

Telecommunications and IT service providers in the Middle East and Asia are being targeted by a previously undocumented Chinese-speaking threat group dubbed WIP19.

The espionage-related attacks are characterized by the use of a stolen digital certificate issued by a Korean company called DEEPSoft to sign malicious artefacts deployed during the infection chain to evade detection.

“Almost all operations performed by the threat actor were completed in a ‘hands-on keyboard’ fashion, during an interactive session with compromised machines,” SentinelOne researchers Joey Chen and Amitai Ben Shushan Ehrlich said in a report this week.

“This meant the attacker gave up on a stable [command-and-control] channel in exchange for stealth.”

WIP, short for work-in-progress, is the moniker assigned by SentinelOne to emerging or hitherto unattributed activity clusters, similar to the UNC####, DEV-####, and TAG-## designations given by Mandiant, Microsoft, and Recorded Future.

The cybersecurity firm also noted that select portions of the malicious components employed by WIP19 were authored by a Chinese-speaking malware author dubbed WinEggDrop, who has been active since 2014.

images from Hacker News